[Analyzer] Prefer HttpRequest.ReadFormAsync over HttpRequest.Form #47460
Labels
analyzer
Indicates an issue which is related to analyzer experience
api-suggestion
Early API idea and discussion, it is NOT ready for implementation
area-minimal
Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc
area-mvc
Includes: MVC, Actions and Controllers, Localization, CORS, most templates
Milestone
Background and Motivation
HttpRequest.Form
is a blocking API (it reads the request body which may not be available yet). Using it can cause thread exhaustion and server throughput problems.HttpRequest.Form
is confusing to people as similar APIs suchHttpRequest.QueryString
,HttpRequest.Cookies
,HttpRequest.Headers
, etc, are safe to use.Proposed Analyzer
Analyzer Behavior and Message
Using
HttpRequest.Form
should generate a warning. There are some cases where it is safe to use, so we need to figure out how broad to make the warning.One option could be:
See discussion at #44390 (comment) for more info.
Category
Severity Level
Usage Scenarios
Risks
HttpRequest.Form
is safe if the form has already been loaded. People who know and rely on that behavior and like the terseness ofHttpRequest.Form
would be impacted. They could either suppress the analyzer or assign the form to a local variable:The text was updated successfully, but these errors were encountered: