dotnet/aspnetcore

Allow backwards-forwards navigation caching with antiforgery tokens

Open

#54,464 opened on Mar 10, 2024

View on GitHub
 (2 comments) (6 reactions) (0 assignees)C# (37,933 stars) (10,653 forks)batch import
area-middlewareenhancementfeature-antiforgeryhelp wanted

Description

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Currently, using the default antiforgery implementation (DefaultAntiforgery) the headers "no-cache, no-store" are supplied.

The no-store header has the unfortunate side effect of slowing browser navigation by incurring additional web requests to the server whenever the user navigates using the forward and backward buttons.

From my (limited) understanding of antiforgery tokens, this should be entirely doable.

This results in a page diagnostics warning. The rest of the reasons for this error disappear without the debugger attached.

image

Disabling antiforgery site-wide is not simple nor does it appear to be officially supported.

Expected Behavior

Antiforgery should use no-cache instead of no-cache, no-store; or at least make this configurable so that backward-forward caching can be easily enabled.

Steps To Reproduce

  1. Create a blank project

  2. Disable dom preservation by replacing

    <script src="_framework/blazor.web.js"></script>

    With

    <script src="_framework/blazor.web.js" autostart="false"></script>
<script>
    Blazor.start({
        ssr: { disableDomPreservation: true }
    });
</script>

  3. Add the time to the home page so we can see whether it's being cached

  4. Launch the application.

  5. Navigate from the home page to another page, and then navigate back to the home page using the back button.

  6. Observe that the time has been updated, and in the network tab observe that a web request has been made.

You can check out the project here.
https://github.com/Fydar/AntiforgeryNoCacheIssue

Exceptions (if any)

No response

.NET Version

8.0.200

Anything else?

https://web.dev/articles/bfcache#minimize-no-store

Contributor guide

Tech stack
csharp
Domain
backendsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
C#ASP.NET Core
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
The issue points to the DefaultAntiforgery.cs file (line 373) where the cache headers are set. Research should focus on changing 'no cache, no store' to 'no cache' or adding a configuration option. Consider the impact on security, as no store is used to prevent token caching. Look at the existing test suite for antiforgery to add tests. Additionally, check the Blazor integration mentioned in the steps to reproduce.
Allow backwards-forwards navigation caching with antiforgery tokens · dotnet/aspnetcore#54464 | Good First Issue