I've configured my ASP.NET Core application to globally enforce a token validation filter:
builder.Services.AddControllersWithViews(ConfigureMvcOptions =>
{
ConfigureMvcOptions.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
});
I have also globally configured all request methods to contain the necessary cookie:
app.Use((context, next) =>
{
var tokenSet = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("RequestVerificationToken", tokenSet.RequestToken!,
new CookieOptions { HttpOnly = false });
return next(context);
});
This works as expected for all Ajax requests and ASP.NET requests involving a native form field. Where this breaks down is in some requests sent by a Kendo UI Grid.Read() method, similar to the one below:
.DataSource(dataSource => dataSource.Ajax()
.ServerOperation(false)
.Read(x => x.Action("ReadWarningMessages", "UserWarningMessages", new { providerID = Model.ProviderHeaderData.ProviderId })
.Type(HttpVerbs.Get))
What is curious is that not all Grid.Read() methods return the 400 Bad Request message when token validation is enforced, some work fine. What is more curious is that when inspecting the request headers once a 400 Bad Request response message is received, I see that they contain identical values for .AspNetCore.Antiforgery and the RequestVerificationToken cookie to the values present in successful request headers.
To clarify, both requests that are successful and those that receive a 400 error code response (Kendo Grid.Read() requests) have identical headers. These consist of a 190 character .AspNetCore.Antiforgery.b2cK7oVvzPo cookie and a 222 character RequestVerificationToken cookie, in addition to two session cookies.
The values of these cookies are identical for successful and failed requests.