I'm trying to add a kendo grid to a Razor Pages app. The grid is simple, pretty much straight out of the samples. However, when I load the page, I get an empty grid and the error below (also on the attached screenshot):
Migrate entirely to HTTPS to have cookies sent to same-site subresources
A cookie was not sent to an insecure origin from a secure context. Because this cookie would have been sent across schemes on the same site, it was not sent. This behavior enhances the SameSite attribute’s protection of user data from request forgery by network attackers.
Resolve this issue by migrating your site (as defined by the eTLD+1) entirely to HTTPS. It is also recommended to mark the cookie with the Secure attribute if that is not already the case.
Here's the code:
Page:
@(Html.Kendo().Grid<tblEmployeeHardware>()
.Name("grid")
.Groupable()
.Sortable()
.Editable()
.Scrollable()
.Columns(columns =>
{
columns.Bound(column => column.HardwareDescription);
...
columns.Bound(column => column.SerialNumber);
columns.Command(column =>
{
column.Destroy();
}).Width(230);
})
.DataSource(ds => ds.Ajax()
.Read(r => r.Url("/Groups/IT/Hardware?handler=Read").Data("forgeryToken"))
.Destroy(d => d.Url("/Groups/IT/Hardware?handler=DeleteHardware").Data("forgeryToken"))
.Model(m => m.Id(id => id.Id))
.PageSize(30)
)
.Pageable()
)
<script>
function forgeryToken() {
return kendo.antiForgeryTokens();
}
</script>
Model:
public JsonResult OnPostDeleteHardware([DataSourceRequest] DataSourceRequest request, tblEmployeeHardware model)
{
var db = new DbAccessHelper(Settings);
db.CreateUpdateDelete("DELETE FROM tblEmployeeHardware WHERE Id = @ID",
new Dictionary<string, string> { { "ID", model.Id.ToString() } });
return new JsonResult(new[] { model }.ToDataSourceResult(request, ModelState));
}
public JsonResult OnGetRead([DataSourceRequest] DataSourceRequest request, string additionalParameter)
{
var ret = getHardware();
//The received parameter "additionalParameter" can be used for filtering/checking the data before returning it to the Grid.
return new JsonResult(ret.ToDataSourceResult(request));
}
I added the [RequireHttps] attribute to the SharedModel, and the following to program.cs:
builder.Services.ConfigureApplicationCookie(options =>
{
options.Cookie.SameSite = SameSiteMode.None;
});
Neither helped.
Can you guys give me a hand here?
1 Answer, 1 is accepted
Hello Richard,
I suspect that the issue is caused by a missing AntiForgeryToken. Would you please inspect the Read request of the Grid in the Network tab in the browser DevTools to check the status request and if the AntiForgeryToken appears in the request cookies? For example:
Request status code:
Request cookies:
Generally, the AntiForgeryToken should be included on top of the RazorPage:
@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
@Html.AntiForgeryToken()
@(Html.Kendo().Grid<tblEmployeeHardware>()
.Name("grid")
...
.DataSource(ds => ds
.Ajax()
.Read(r => r.Url("....").Data("forgeryToken"))
...
)
)
and sent with each POST request of the page:
<script>
function forgeryToken() {
return kendo.antiForgeryTokens();
}
</script>Regards, Mihaela Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.
Rank 1
The anti-forgery token is there. I've attached the screenshot of the Read request's cookies.
Hi Richard,
It is perplexing that the anti-forgery token is sent correctly but the issue still occurs.
Perhaps the behavior is indeed caused by a protocol mismatch. I recommend referring to related StackOverflow article that goes over a possible solution of the issue.