Skip to content

[release/10.0] Fix ComponentStatePersistenceManager iteration to prevent AntiforgeryValidationException in Blazor WASM #63694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 18, 2025
Merged

[release/10.0] Fix ComponentStatePersistenceManager iteration to prevent AntiforgeryValidationException in Blazor WASM #63694

merged 3 commits into from
Sep 18, 2025

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Sep 16, 2025
edited by javiercn
Loading

Backport of #63674 to release/10.0

/cc @javiercn @copilot

Fix ComponentStatePersistenceManager iteration to prevent AntiforgeryValidationException in Blazor WASM

Some persistent component state callbacks might not get invoked if a previous callback unregisters itself from the list of registered callbacks during invocation.

Description

Under the circumstances described above, we fail to persist the antiforgery token to the client, which causes logout to fail later on. The problem manifests with antiforgery but the issue is larger (and due to the way we handle the subscriptions, which is what this change fixes)

Fixes #58822

Customer Impact

When a customer uses persistent component state, their callback might not get invoked if a previously registered callback removes itself from the list. This can cause their state to be lost when transitioning to interactive render mode, which can cause hard to debug issues if the state is not used until alter on.

In the case from the bug, the antiforgery token from the server does not persist to webassembly and that causes the logout functionality to fail later on.

Regression?

  • Yes
  • No

7.0 - This was introduced with the 8.0 update to Blazor web when we switched the approach to auth.

Risk

  • High
  • Medium
  • Low

The order in which callback are invoked is not guaranteed by the framework.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

@github-actions github-actions bot requested a review from a team as a code owner September 16, 2025 13:02
@lewing lewing added the Servicing-consider Shiproom approval is required for the issue label Sep 16, 2025
@lewing lewing added this to the 10.0-rc2 milestone Sep 18, 2025
@danmoseley danmoseley added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Sep 18, 2025
@lewing lewing merged commit 2210c0c into release/10.0 Sep 18, 2025
28 checks passed
@lewing lewing deleted the backport/pr-63674-to-release/10.0 branch September 18, 2025 17:15
@dotnet-policy-service dotnet-policy-service bot modified the milestone: 10.0-rc2 Sep 18, 2025
wtgodbe added a commit that referenced this pull request Sep 19, 2025
@wtgodbe @sebastienros
@dotnet-maestro @github-actions @MackinnonBuck @Copilot @javiercn @maraf @oroztocil
[automated] Merge branch 'release/10.0' => 'main' (#63720)
f5b4362 
* [release/10.0] Implement KnownNetworks dual list (#63658)

* Refactor unit tests to handle the obsolete property

* Implement KnownNetworks dual list

Fixes #63627

* Update dependencies from https://dev.azure.com/dnceng/internal/_git/dotnet-optimization build 20250908.1 (#63679)

On relative base path root
optimization.linux-arm64.MIBC.Runtime , optimization.linux-x64.MIBC.Runtime , optimization.windows_nt-arm64.MIBC.Runtime , optimization.windows_nt-x64.MIBC.Runtime , optimization.windows_nt-x86.MIBC.Runtime From Version 1.0.0-prerelease.25453.1 -> To Version 1.0.0-prerelease.25458.1

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

* Update `Microsoft.Identity.Web` dependencies (#63705)

Co-authored-by: Mackinnon Buck <[email protected]>

* Update dependencies from https://github.com/dotnet/dotnet build 283666 (#63712)

Updated Dependencies:
Microsoft.NET.Runtime.WebAssembly.Sdk, Microsoft.NETCore.BrowserDebugHost.Transport, Microsoft.NET.Runtime.MonoAOTCompiler.Task, dotnet-ef, Microsoft.Bcl.AsyncInterfaces, Microsoft.Bcl.TimeProvider, Microsoft.EntityFrameworkCore, Microsoft.EntityFrameworkCore.Design, Microsoft.EntityFrameworkCore.InMemory, Microsoft.EntityFrameworkCore.Relational, Microsoft.EntityFrameworkCore.Sqlite, Microsoft.EntityFrameworkCore.SqlServer, Microsoft.EntityFrameworkCore.Tools, Microsoft.Extensions.Caching.Abstractions, Microsoft.Extensions.Caching.Memory, Microsoft.Extensions.Configuration, Microsoft.Extensions.Configuration.Abstractions, Microsoft.Extensions.Configuration.Binder, Microsoft.Extensions.Configuration.CommandLine, Microsoft.Extensions.Configuration.EnvironmentVariables, Microsoft.Extensions.Configuration.FileExtensions, Microsoft.Extensions.Configuration.Ini, Microsoft.Extensions.Configuration.Json, Microsoft.Extensions.Configuration.UserSecrets, Microsoft.Extensions.Configuration.Xml, Microsoft.Extensions.DependencyInjection, Microsoft.Extensions.DependencyInjection.Abstractions, Microsoft.Extensions.DependencyModel, Microsoft.Extensions.Diagnostics, Microsoft.Extensions.Diagnostics.Abstractions, Microsoft.Extensions.FileProviders.Abstractions, Microsoft.Extensions.FileProviders.Composite, Microsoft.Extensions.FileProviders.Physical, Microsoft.Extensions.FileSystemGlobbing, Microsoft.Extensions.HostFactoryResolver.Sources, Microsoft.Extensions.Hosting, Microsoft.Extensions.Hosting.Abstractions, Microsoft.Extensions.Http, Microsoft.Extensions.Logging, Microsoft.Extensions.Logging.Abstractions, Microsoft.Extensions.Logging.Configuration, Microsoft.Extensions.Logging.Console, Microsoft.Extensions.Logging.Debug, Microsoft.Extensions.Logging.EventLog, Microsoft.Extensions.Logging.EventSource, Microsoft.Extensions.Logging.TraceSource, Microsoft.Extensions.Options, Microsoft.Extensions.Options.ConfigurationExtensions, Microsoft.Extensions.Options.DataAnnotations, Microsoft.Extensions.Primitives, Microsoft.Internal.Runtime.AspNetCore.Transport, Microsoft.NETCore.App.Ref, Microsoft.NETCore.Platforms, System.Collections.Immutable, System.Composition, System.Configuration.ConfigurationManager, System.Diagnostics.DiagnosticSource, System.Diagnostics.EventLog, System.Diagnostics.PerformanceCounter, System.DirectoryServices.Protocols, System.Formats.Asn1, System.Formats.Cbor, System.IO.Hashing, System.IO.Pipelines, System.Memory.Data, System.Net.Http.Json, System.Net.Http.WinHttpHandler, System.Net.ServerSentEvents, System.Numerics.Tensors, System.Reflection.Metadata, System.Resources.Extensions, System.Runtime.Caching, System.Security.Cryptography.Pkcs, System.Security.Cryptography.Xml, System.Security.Permissions, System.ServiceProcess.ServiceController, System.Text.Encodings.Web, System.Text.Json, System.Threading.AccessControl, System.Threading.Channels, System.Threading.RateLimiting (Version 10.0.0-rc.2.25466.101 -> 10.0.0-rc.2.25467.107)
Microsoft.DotNet.Arcade.Sdk, Microsoft.DotNet.Build.Tasks.Archives, Microsoft.DotNet.Build.Tasks.Installers, Microsoft.DotNet.Build.Tasks.Templating, Microsoft.DotNet.Helix.Sdk, Microsoft.DotNet.RemoteExecutor, Microsoft.DotNet.SharedFramework.Sdk (Version 10.0.0-beta.25466.101 -> 10.0.0-beta.25467.107)
Microsoft.Web.Xdt (Version 3.2.0-preview.25466.101 -> 3.2.0-preview.25467.107)
NuGet.Frameworks, NuGet.Packaging, NuGet.Versioning (Version 7.0.0-preview.2.46701 -> 7.0.0-preview.2.46807)

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

* [release/10.0] Fix ComponentStatePersistenceManager iteration to prevent AntiforgeryValidationException in Blazor WASM (#63694)

* Initial plan

* Fix ComponentStatePersistenceManager to iterate backwards in InferRenderModes

Co-authored-by: javiercn <[email protected]>

* Add unit test for ComponentStatePersistenceManager callback removal during iteration

Co-authored-by: javiercn <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: javiercn <[email protected]>

* [release/10.0] [Blazor] Clear RootTypeCache cache on HotReload (#63653)

* Clear RootTypeCache cache on HotReload

* ClearCache method

* Fix

---------

Co-authored-by: Marek Fišera <[email protected]>

* Resolve conflicts (#63711)

* [release/10.0] Fix Validation source generator deployment for non-Web SDKs (#63715)

* Proof-of-concept fix for getting validation SG to work in Blazor Wasm SDK projects

* Use special type symbol for missing type comparisons

---------

Co-authored-by: Ondřej Roztočil <[email protected]>

* [release/10.0] Enable spectre mitigations for ANCM binaries (#63728)

* Enable spectre mitigations for ANCM binaries

* Set property as well

* Revert "Set property as well"

This reverts commit b573d8a.

---------

Co-authored-by: wtgodbe <[email protected]>

* Update dependencies from https://github.com/dotnet/dotnet build 283828 (#63732)

Updated Dependencies:
Microsoft.NET.Runtime.WebAssembly.Sdk, Microsoft.NETCore.BrowserDebugHost.Transport, Microsoft.NET.Runtime.MonoAOTCompiler.Task, dotnet-ef, Microsoft.Bcl.AsyncInterfaces, Microsoft.Bcl.TimeProvider, Microsoft.EntityFrameworkCore, Microsoft.EntityFrameworkCore.Design, Microsoft.EntityFrameworkCore.InMemory, Microsoft.EntityFrameworkCore.Relational, Microsoft.EntityFrameworkCore.Sqlite, Microsoft.EntityFrameworkCore.SqlServer, Microsoft.EntityFrameworkCore.Tools, Microsoft.Extensions.Caching.Abstractions, Microsoft.Extensions.Caching.Memory, Microsoft.Extensions.Configuration, Microsoft.Extensions.Configuration.Abstractions, Microsoft.Extensions.Configuration.Binder, Microsoft.Extensions.Configuration.CommandLine, Microsoft.Extensions.Configuration.EnvironmentVariables, Microsoft.Extensions.Configuration.FileExtensions, Microsoft.Extensions.Configuration.Ini, Microsoft.Extensions.Configuration.Json, Microsoft.Extensions.Configuration.UserSecrets, Microsoft.Extensions.Configuration.Xml, Microsoft.Extensions.DependencyInjection, Microsoft.Extensions.DependencyInjection.Abstractions, Microsoft.Extensions.DependencyModel, Microsoft.Extensions.Diagnostics, Microsoft.Extensions.Diagnostics.Abstractions, Microsoft.Extensions.FileProviders.Abstractions, Microsoft.Extensions.FileProviders.Composite, Microsoft.Extensions.FileProviders.Physical, Microsoft.Extensions.FileSystemGlobbing, Microsoft.Extensions.HostFactoryResolver.Sources, Microsoft.Extensions.Hosting, Microsoft.Extensions.Hosting.Abstractions, Microsoft.Extensions.Http, Microsoft.Extensions.Logging, Microsoft.Extensions.Logging.Abstractions, Microsoft.Extensions.Logging.Configuration, Microsoft.Extensions.Logging.Console, Microsoft.Extensions.Logging.Debug, Microsoft.Extensions.Logging.EventLog, Microsoft.Extensions.Logging.EventSource, Microsoft.Extensions.Logging.TraceSource, Microsoft.Extensions.Options, Microsoft.Extensions.Options.ConfigurationExtensions, Microsoft.Extensions.Options.DataAnnotations, Microsoft.Extensions.Primitives, Microsoft.Internal.Runtime.AspNetCore.Transport, Microsoft.NETCore.App.Ref, Microsoft.NETCore.Platforms, System.Collections.Immutable, System.Composition, System.Configuration.ConfigurationManager, System.Diagnostics.DiagnosticSource, System.Diagnostics.EventLog, System.Diagnostics.PerformanceCounter, System.DirectoryServices.Protocols, System.Formats.Asn1, System.Formats.Cbor, System.IO.Hashing, System.IO.Pipelines, System.Memory.Data, System.Net.Http.Json, System.Net.Http.WinHttpHandler, System.Net.ServerSentEvents, System.Numerics.Tensors, System.Reflection.Metadata, System.Resources.Extensions, System.Runtime.Caching, System.Security.Cryptography.Pkcs, System.Security.Cryptography.Xml, System.Security.Permissions, System.ServiceProcess.ServiceController, System.Text.Encodings.Web, System.Text.Json, System.Threading.AccessControl, System.Threading.Channels, System.Threading.RateLimiting (Version 10.0.0-rc.2.25467.107 -> 10.0.0-rc.2.25468.104)
Microsoft.DotNet.Arcade.Sdk, Microsoft.DotNet.Build.Tasks.Archives, Microsoft.DotNet.Build.Tasks.Installers, Microsoft.DotNet.Build.Tasks.Templating, Microsoft.DotNet.Helix.Sdk, Microsoft.DotNet.RemoteExecutor, Microsoft.DotNet.SharedFramework.Sdk (Version 10.0.0-beta.25467.107 -> 10.0.0-beta.25468.104)
Microsoft.Web.Xdt (Version 3.2.0-preview.25467.107 -> 3.2.0-preview.25468.104)
NuGet.Frameworks, NuGet.Packaging, NuGet.Versioning (Version 7.0.0-preview.2.46807 -> 7.0.0-preview.2.46904)

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

* Update dependencies from https://github.com/dotnet/extensions build 20250912.1 (#63681)

On relative base path root
Microsoft.Extensions.Caching.Hybrid , Microsoft.Extensions.Diagnostics.Testing , Microsoft.Extensions.TimeProvider.Testing From Version 9.10.0-preview.1.25456.3 -> To Version 9.10.0-preview.1.25462.1

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

---------

Co-authored-by: Sébastien Ros <[email protected]>
Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Mackinnon Buck <[email protected]>
Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: javiercn <[email protected]>
Co-authored-by: Marek Fišera <[email protected]>
Co-authored-by: William Godbe <[email protected]>
Co-authored-by: Ondřej Roztočil <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lewing lewing lewing approved these changes

Assignees
No one assigned
Labels
Servicing-approved Shiproom has approved the issue
Projects
None yet
Milestone
10.0-rc2
Development

Successfully merging this pull request may close these issues.
3 participants
@lewing @danmoseley @Copilot