I am interested why isn't AntiForgeryToken included in every ASP.NET MVC form by default? It seems the pluses of always including it outweigh the possible disadvantages. And this behaviour could be disabled in case of need like for Web Forms HttpRequestValidationException.
我感兴趣的是,为什么默认情况下每个ASP.NET MVC表单中都没有包含AntiForgeryToken?似乎总是包括它的优点超过了可能的缺点。如果需要Web Forms HttpRequestValidationException,可以禁用此行为。
2 个解决方案
#1
The AntiForgeryToken was only moved from "MVC Futures" to "MVC Core" in February - so it's likely that the timing prevented it from being made a built in fixture.
2月份AntiForgeryToken仅从“MVC Futures”转移到“MVC Core” - 因此时机很可能无法将其作为内置夹具。
The other possible reason is that the team that developed the MVC framework have really put all the power in the hands of the developers. You could use something else instead of the AntiForgeryToken in the same way you can choose to use a different testing framework, data framework etc. It's a new approach when you look at MS historically, where they would pen you into using what they supplied.
另一个可能的原因是开发MVC框架的团队真正掌握了开发人员的所有权力。您可以使用其他东西而不是AntiForgeryToken,就像您可以选择使用不同的测试框架,数据框架等一样。当您从历史角度看MS时,它会让您使用他们提供的内容。
#2
I think because you wouldn't want to have it on forms with GET
method.
我想因为你不想在GET方法的表单上使用它。
#1
The AntiForgeryToken was only moved from "MVC Futures" to "MVC Core" in February - so it's likely that the timing prevented it from being made a built in fixture.
2月份AntiForgeryToken仅从“MVC Futures”转移到“MVC Core” - 因此时机很可能无法将其作为内置夹具。
The other possible reason is that the team that developed the MVC framework have really put all the power in the hands of the developers. You could use something else instead of the AntiForgeryToken in the same way you can choose to use a different testing framework, data framework etc. It's a new approach when you look at MS historically, where they would pen you into using what they supplied.
另一个可能的原因是开发MVC框架的团队真正掌握了开发人员的所有权力。您可以使用其他东西而不是AntiForgeryToken,就像您可以选择使用不同的测试框架,数据框架等一样。当您从历史角度看MS时,它会让您使用他们提供的内容。
#2
I think because you wouldn't want to have it on forms with GET
method.
我想因为你不想在GET方法的表单上使用它。