Well, I have a form rendered via form tagHelper. So it's include special hidden for anti-forgery token.
and I'm trying to send following ajax request:
var data = JSON.stringify(feedbackForm.serializeArray().reduce((res, item) => {
res[item.name] = item.value;
return res; }, {}));
// data example: '{"Description":"some description", "__RequestVerificationToken":"CfDJ8F9f8kTKlVNEsnTxejQIJ__pRCl2CuZTQDVAY2216J7GgHWGDC0XUMPc0FKHpr_K5uhz8Kx0VeHDkIPdQ3V0Xur9oLE2u_bpfXuVss6AWX3BVh0WbwfQriaibOrf_yvEuIYZV-jHU_G-AHPD91cKz_QE7MVmeLVgTum80yTb8biGctMtJcU67Wp7ZgN86yMuew"}'`
$.ajax({
type: "POST",
url: '@Url.Action("Feedback", "Profile", new {Area = ""})',
contentType: "application/json; charset=utf-8",
data: data,
dataType: "json"
});
to controller action which looks like that:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Feedback([FromBody]FeedbackViewModel vm)
{
...
}
So post data include key for antiforgery token, however request still not pass antiforgeryvalidation and failed with error. If I remove antiforgery validation attribute from controller than it works perfectly.
Why it not check token inside request body - is it by design, or it's some kind of an issue?