Make enhanced nav much more conservative, and better handle redirections#50551
Make enhanced nav much more conservative, and better handle redirections#50551mkArtakMSFT merged 30 commits intorelease/8.0from
Conversation
ghost
added
the
SteveSandersonMS
changed the title
SteveSandersonMS
changed the title
SteveSandersonMS
force-pushed
the
stevesa/enhanced-navigations
branch
from
ca01d7c to
ac96696
Compare
| // Matches MVC's MemoryPoolHttpResponseStreamWriterFactory.DefaultBufferSize | ||
| var defaultBufferSize = 16 * 1024; | ||
| await using var writer = new HttpResponseStreamWriter(httpContext.Response.Body, Encoding.UTF8, defaultBufferSize, ArrayPool<byte>.Shared, ArrayPool<char>.Shared); | ||
| using var bufferWriter = new BufferedTextWriter(writer); |
There was a problem hiding this comment.
This is separate from the rest of the PR, but I realised that RazorComponentResultExecutor is inconsistent with RazorComponentEndpointInvoker.
It's dangerous that we have two different implementations as they could be out of sync and not support the same features. And here in fact one of them was not using the new buffering solution. However I don't want to unpick all the complexities of unifying these code paths within this PR (and I think we likely should leave that for .NET 9), so I'm just changing RazorComponentResultExecutor to use the same buffering technique as RazorComponentEndpointInvoker. Longer term, we should unify the code.
Note that fixing this forced me to make some other unit test updates (see WaitForContentWrittenAsync in this PR), as the unit tests were relying on content writes being completely synchronous.
| public static string CreateProtectedRedirectionUrl(HttpContext httpContext, string destinationUrl) | ||
| { | ||
| var protector = CreateProtector(httpContext); | ||
| var protectedUrl = protector.Protect(destinationUrl, TimeSpan.FromSeconds(10)); |
There was a problem hiding this comment.
The time needs to be configurable
javiercn
left a comment
javiercn
left a comment
There was a problem hiding this comment.
Looks great!
Especially happy with the thoroughness of the E2E tests
SteveSandersonMS
force-pushed
the
stevesa/enhanced-navigations
branch
from
50c2f98 to
545d786
Compare
…d nav external redirections, now as opaque URL
SteveSandersonMS
force-pushed
the
stevesa/enhanced-navigations
branch
from
545d786 to
d72681b
Compare
|
This looks like too much magic for something that should have been be a simple Is there anyway to prevent enhance nav on rc1? |
|
Hi @Bartmax. It looks like you just commented on a closed PR. The team will most probably miss it. If you'd like to bring something important up to their attention, consider filing a new issue and add enough details to build context. |
Yes, just set it to false at the root level (e.g., on your For POST requests it's always set on a per-form basis (defaulting to off) because it would be unsafe to assume that all forms in general should use enhanced posts (e.g., they may not even target a Blazor endpoint). |
…ling data attributes (#12324) - [x] Address all code review feedback - [x] Merge main branch - [x] Fix all build errors after merge: - [x] Update all RazorCompletionContext constructor calls to include codeDocument as first parameter - [x] Add WorkItem alias in CohostDocumentCompletionEndpointTest to resolve ambiguity - [x] All tests passing (13/13) - [x] Build succeeds with no errors ## Summary Successfully implemented IntelliSense support for Blazor data attributes (`data-enhance`, `data-enhance-nav`, `data-permanent`) introduced in .NET 8 RC2. ### Implementation Complete - **Created AttributeDescriptionInfo**: New record type for non-tag-helper attribute descriptions - **Added RazorCompletionItemKind.Attribute**: New completion item kind for regular HTML attributes - **Created RazorCompletionItem.CreateAttribute**: Factory method for creating attribute completions - **Extracted CompletionContextHelper**: Shared helper class with `AdjustSyntaxNodeForCompletion` and `IsAttributeNameCompletionContext` - **BlazorDataAttributeCompletionItemProvider**: Context-aware completion provider with: - Element-specific filtering (`data-enhance` only on `<form>`) - Duplicate detection - Snippet support - VSCode commit character support ### All Tests Passing ✅ - **9/9 unit tests** in BlazorDataAttributeCompletionItemProviderTest.cs (using `[WorkItem(...)]` without alias) - **4/4 integration tests** in CohostDocumentCompletionEndpointTest.cs (using `[WorkItem(...)]` with `using WorkItemAttribute = Roslyn.Test.Utilities.WorkItemAttribute;` alias to avoid ambiguity) - All tests have WorkItem attributes linking to issue #9378 - Build succeeds with no errors or warnings - Merged with latest main branch ### Code Quality - Followed all review feedback - Extracted shared code to eliminate duplication - Optimized performance (early exit conditions) - Proper error handling and edge cases - Clean, maintainable code structure - Proper WorkItem attribute usage based on namespace context Fixes #9378 <!-- START COPILOT CODING AGENT SUFFIX --> <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>Add intellisense support for new data-enhance, data-enhance-nav, and data-permanent Blazor attributes in .NET 8</issue_title> > <issue_description>In .NET 8 RC2 we introduced some new attributes that Blazor users can use to control enhanced navigation and form handling: > > - `data-enhance-nav`: Used to turn off enhanced navigation for a specific link or DOM subtree > > ```html > <a href="my-non-blazor-page" data-enhance-nav="false">My Non-Blazor Page</a> > ``` > > - `data-enhance`: Used to opt in to enhanced form handling for a form element: > > ```razor > <form method="post" @onsubmit="() => submitted = true" @formname="name" data-enhance> > <AntiforgeryToken /> > <InputText @bind-Value="Name" /> > <button>Submit</button> > </form> > > @if (submitted) > { > <p>Hello @name!</p> > } > > @code{ > bool submitted; > > [SupplyParameterFromForm] > public string Name { get; set; } = ""; > } > ``` > > - `data-permanent`: Used to signal that an element add or updated dynamically should be preserved when handling an enhanced navigation of form request: > > ```html > <div data-permanent> > This div gets updated dynamically by a script when the page loads! > </div> > ``` > > We should update the Razor tooling to provide appropriate completions and diagnostic for these attributes. > > Related PRs: > > - dotnet/aspnetcore#50551 > - https://github.com/dotnet/aspnetcore/pull/50437</issue_description> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> Fixes #9378 <!-- START COPILOT CODING AGENT TIPS --> --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.
4 participants
This PR makes enhanced navigation/forms much more conservative:
data-enhance-navattribute in HTML.data-enhanceto the form element orEnhanceif it's anEditForm(they're equivalent). This is nonhierarchical since it's not desirable to enable this globally.no-corson the fetch request, so it should now be impossible to receive content from an external origin (and it falls back on retrying as a full-page load for GET, or an error with a clear message for POST).fetchnormally would. As of this PR, the URL is data protected so all the client can do is navigate to an endpoint that issues a real 302 to the real URL. As such JS no longer has access to any more info than it normally would with afetch.With all this, it should be much less likely for enhanced nav/redirections to run into incompatibility issues. And much easier for developers to disable it for whole regions in the UI if they want.