Grid in a Razor Pages app is causing a XSRF error

1 Answer 501 Views
Grid
RichardS
Top achievements
Rank 1
RichardS asked on 06 Jan 2023, 05:32 PM

I'm trying to add a kendo grid to a Razor Pages app. The grid is simple, pretty much straight out of the samples. However, when I load the page, I get an empty grid and the error below (also on the attached screenshot):

Migrate entirely to HTTPS to have cookies sent to same-site subresources

A cookie was not sent to an insecure origin from a secure context. Because this cookie would have been sent across schemes on the same site, it was not sent. This behavior enhances the SameSite attribute’s protection of user data from request forgery by network attackers.

Resolve this issue by migrating your site (as defined by the eTLD+1) entirely to HTTPS. It is also recommended to mark the cookie with the Secure attribute if that is not already the case.

 

Here's the code:

Page:

 @(Html.Kendo().Grid<tblEmployeeHardware>()
        .Name("grid")
        .Groupable()
        .Sortable()
        .Editable()
        .Scrollable()
        .Columns(columns =>
        {
            columns.Bound(column => column.HardwareDescription);
            ...
            columns.Bound(column => column.SerialNumber);
            columns.Command(column =>
            {
                column.Destroy();
            }).Width(230);
        })
        .DataSource(ds => ds.Ajax()
            .Read(r => r.Url("/Groups/IT/Hardware?handler=Read").Data("forgeryToken"))
            .Destroy(d => d.Url("/Groups/IT/Hardware?handler=DeleteHardware").Data("forgeryToken"))
            .Model(m => m.Id(id => id.Id))
            .PageSize(30)
        )
        .Pageable()
    )

<script>
    function forgeryToken() {
        return kendo.antiForgeryTokens();
    }
</script>

Model:

public JsonResult OnPostDeleteHardware([DataSourceRequest] DataSourceRequest request, tblEmployeeHardware model)
        {
            var db = new DbAccessHelper(Settings);
            db.CreateUpdateDelete("DELETE FROM tblEmployeeHardware WHERE Id = @ID",
                new Dictionary<string, string> { { "ID", model.Id.ToString() } });
            return new JsonResult(new[] { model }.ToDataSourceResult(request, ModelState));
        }
        public JsonResult OnGetRead([DataSourceRequest] DataSourceRequest request, string additionalParameter)
        {
            var ret = getHardware();
            //The received parameter "additionalParameter" can be used for filtering/checking the data before returning it to the Grid.
            return new JsonResult(ret.ToDataSourceResult(request));
        }

I added the [RequireHttps] attribute to the SharedModel, and the following to program.cs:

builder.Services.ConfigureApplicationCookie(options =>
{
    options.Cookie.SameSite = SameSiteMode.None;
});

Neither helped. 

Can you guys give me a hand here?

1 Answer, 1 is accepted

Sort by
0
Mihaela
Telerik team
answered on 11 Jan 2023, 10:49 AM

Hello Richard,

I suspect that the issue is caused by a missing AntiForgeryToken. Would you please inspect the Read request of the Grid in the Network tab in the browser DevTools to check the status request and if the AntiForgeryToken appears in the request cookies? For example:

Request status code:

Request cookies:

 

Generally, the AntiForgeryToken should be included on top of the RazorPage:

@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
@Html.AntiForgeryToken()

@(Html.Kendo().Grid<tblEmployeeHardware>()
    .Name("grid")
    ...
    .DataSource(ds => ds
        .Ajax()
        .Read(r => r.Url("....").Data("forgeryToken"))
        ...
    )
)

     

and sent with each POST request of the page:

<script>
    function forgeryToken() {
        return kendo.antiForgeryTokens();
    }
</script>

Regards, Mihaela Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

RichardS
Top achievements
Rank 1
commented on 02 Feb 2023, 10:30 PM

Hi, Mihaela,
The anti-forgery token is there. I've attached the screenshot of the Read request's cookies.
Stoyan
Telerik team
commented on 07 Feb 2023, 05:32 PM

Hi Richard,

It is perplexing that the anti-forgery token is sent correctly but the issue still occurs.

Perhaps the behavior is indeed caused by a protocol mismatch. I recommend referring to related StackOverflow article that goes over a possible solution of the issue.

Tags
Grid
Asked by
RichardS
Top achievements
Rank 1
Answers by
Mihaela
Telerik team
Share this question
or