I am interested why isn't AntiForgeryToken included in every ASP.NET MVC form by default? It seems the pluses of always including it outweigh the possible disadvantages. And this behaviour could be disabled in case of need like for Web Forms HttpRequestValidationException.
+1
A:
The AntiForgeryToken was only moved from "MVC Futures" to "MVC Core" in February - so it's likely that the timing prevented it from being made a built in fixture.
The other possible reason is that the team that developed the MVC framework have really put all the power in the hands of the developers. You could use something else instead of the AntiForgeryToken in the same way you can choose to use a different testing framework, data framework etc. It's a new approach when you look at MS historically, where they would pen you into using what they supplied.
Sohnee
2009-04-29 10:44:34
+2
A:
I think because you wouldn't want to have it on forms with GET method.
çağdaş
2009-04-29 10:47:06
I see. Though Html.BeginForm() could treat this rendering AntiForgeryToken for POST forms only.
Alexander Prokofyev
2009-04-29 11:04:02