Adds the concept of an IAntiforgeryPolicy marker interface as well as
the ability to overide policy with a 'closer' filter.
Adds a new [IgnoreAntiforgeryToken] attribute for overriding a scoped
antiforgery policy.
Adds a new [AutoValidateAntiforgeryToken] attribute (good name tbd) for
applying an application-wide antiforgery token. The idea is that you can
configure this as a global filter if your site is acting as a pure
browser-based or 1st party SPA. This new attribute only validates the
token for unsafe HTTP methods, so you can apply it broadly.
- Check MVC services once at startup
- Make action selector sync
We've never really had a scenario for the action selector being async, it
just ended up that way. None of our extensibility here lets you do
anything async without replacing it wholesale, which we don't
recommend.
This change avoids a state machine allocation and a dictionary allocation
on the common case (no bound properties). Ugly? You bet. Worth it? Yeah,
seems worthwhile.
This is worth about 200 bytes/request - about 3% of allocated bytes in a
smallish API scenario.
- Always prepend with application name and let underlying `IStringLocalizerFactory` do the name gymnastics
- Use ExecutingFilePath instead of view name
- Trim off the file extension (so your resource doesn't have to have ".cshtml" in its name)
- Improved doc comments
- Added tests to cover ViewLocalizer behavior
- #3718
- #2767
- IHtmlLocalizer no longer derives from IStringLocalizer
- IHtmlLocalizer indexer now returns LocalizedHtmlString
- IHtmlLocalizer has GetString methods now that act the same as IStringLocalizer.GetString
- Made LocalizedHtmlString a struct to match LocalizedString
- Updated samples in response to aspnet/Localization#167
- Rename "ancestor" to "parent" for loc API
- Fixes some doc comments
- Fixed tests
- #3716
- #3612 subpart 2 of 2
- merge `ActionConstraintsWebSite`, `AntiforgeryTokenWebSite` and `ContentNegotiationWebSite` into `BasicWebSite`
- remove tests depending on `ErrorReporterMiddleware` in merged sites; not used in `BasicWebSite`
- delete `CompositeViewEngineWebSite`, `Microsoft.AspNet.Mvc.ViewEngines.CompositeViewEngineTest` covers cases
- delete `CorsMiddlewareWebsite`, soon to be in Cors repo (see aspnet/CORS#57)
- remove `SendFileMiddleware` from FilesWebSite, unused there
This change adds a base class for controllers to Mvc.Core that can be used
without a dependency on views, json, etc.
Most of the functionality on Controller moves to ControllerBase. I kept
the IActionFilter and IDisposable functionality on Controller since it's
not really a fit with the 'minimal' philosophy.
Ryan Nowak
Pranav K
Ajay Bhargav Baaskaran
Doug Bunting
Kiran Challa
John Luo
damianedwards
Hao Kung
N. Taylor Mullen
ryanbrandenburg
javiercn