Avoid validating antiforgery for non form data content types

dotnet · May 8, 2024 · 16c62e1 · 16c62e1
1 parent 7a211fb
commit 16c62e1
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs b/src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs
@@ -163,11 +163,22 @@ private async Task<RequestValidationState> ValidateRequestAsync(HttpContext cont
             // want to run the form handling logic against the error page.
             context.Features.Get<IExceptionHandlerFeature>() == null;
 
+
         if (processPost)
         {
-            var valid = false;
+            if (!context.Request.HasFormContentType)
+            {
+                context.Response.StatusCode = StatusCodes.Status400BadRequest;
+                if (context.RequestServices.GetService<IHostEnvironment>()?.IsDevelopment() == true)
+                {
+                    await context.Response.WriteAsync("The request has an incorrect Content-type.");
+                }
+                return RequestValidationState.InvalidPostRequest;
+            }
+
             // Respect the token validation done by the middleware _if_ it has been set, otherwise
             // run the validation here.
+            var valid = false;
             if (context.Features.Get<IAntiforgeryValidationFeature>() is { } antiForgeryValidationFeature)
             {
                 if (!antiForgeryValidationFeature.IsValid)