Skip to content

[release-notes] ASP.NET Core in .NET 11 Preview 6#10456

Open
danroth27 wants to merge 11 commits into
release-notes/11.0-preview6from
release-notes/11.0-preview6-aspnetcore
Open

[release-notes] ASP.NET Core in .NET 11 Preview 6#10456
danroth27 wants to merge 11 commits into
release-notes/11.0-preview6from
release-notes/11.0-preview6-aspnetcore

Conversation

@danroth27

Copy link
Copy Markdown
Member

Draft ASP.NET Core release notes for .NET 11 Preview 6. This PR targets the milestone base branch release-notes/11.0-preview6 (see #10455).

Please review the AI-authored content for accuracy, including any code samples and <!-- TODO --> / <!-- Filtered features --> notes, then mark ready for review. 🤖 Generated with the release-notes skill.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds the draft ASP.NET Core component release notes for .NET 11 Preview 6 to the release-notes repository, documenting new features, breaking changes, bug fixes, and community contributors for the milestone branch (release-notes/11.0-preview6).

Changes:

  • Introduces feature writeups for Minimal API async validation, Blazor Virtualize scrolling, OpenAPI updates, [ShortCircuit], and SignalR authentication refresh.
  • Captures notable breaking changes and a short bug-fix roundup.
  • Adds a milestone-scoped community contributor list.

Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
Verified each feature with runnable samples on the Preview 6 build:
- Async validation: IAsyncValidatableObject also needs the sync Validate
  member, and AsyncValidationAttribute is overridden via IsValidAsync
  (not GetValidationResultAsync).
- Virtualize: Items requires ICollection<T>, so the sample uses List<T>
  (IReadOnlyList<T> does not compile).
- [ShortCircuit]: robots.txt should use [ShortCircuit] (200), not
  [ShortCircuit(404)] which returns the body with a 404; added a minimal
  API example.
OpenAPI 3.2 default + union anyOf schema and SignalR auth refresh
verified accurate as written.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danroth27

Copy link
Copy Markdown
Member Author

Verified every feature in these notes by building and running samples against the locally installed .NET 11 Preview 6 SDK (build 26325.125). Samples live in c:\github\danroth27\aspnetcore11samples. Corrections pushed in the latest commit:

Async validation (ran a minimal API; valid → 200, async rules → 400):

  • IAsyncValidatableObject extends IValidatableObject, so the model must also implement the synchronous Validate method — the original sample didn't compile without it.
  • AsyncValidationAttribute is overridden via the protected IsValidAsync (the doc said GetValidationResultAsync, which is the public method the framework calls and isn't overridable).

Blazor Virtualize (verified in a headless browser: InitialIndex=500 opened at items 485–515; "Back to top" → ScrollToIndexAsync(0) scrolled to Product 0):

  • Virtualize.Items requires ICollection<T>, so the sample now uses List<Product> (IReadOnlyList<Product> does not compile).

[ShortCircuit] (verified middleware is skipped):

  • Changed the robots.txt example from [ShortCircuit(404)] to [ShortCircuit]. [ShortCircuit(404)] returns the body with a 404 status, which is wrong for robots.txt; [ShortCircuit] returns 200. Added a minimal-API example.

Verified accurate as written (no change):

  • OpenAPI: document version is 3.2.0 by default; a union return type produces anyOf: [Kitten, Puppy] with bare-named case components.
  • SignalR auth refresh: EnableAuthenticationRefresh, OnAuthenticationRefresh, and Hub.OnAuthenticationRefreshedAsync compile, and the /refresh endpoint is mapped alongside /negotiate.
  • Breaking changes: the IValidatableInfo split into IValidatableTypeInfo/IValidatableParameterInfo/IValidatablePropertyInfo is present in the build.

Note: the local build is 26325.125; the notes target 26328.106. I confirmed the corrected APIs are identical across both builds.

Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
…59.118

- Rename async validation section to 'Async validation for minimal APIs'
  (danroth27); cross-reference the libraries release notes; throw from the
  sync Validate for async-only types (Youssef1313).
- Split OpenAPI into 'OpenAPI 3.2 by default' (kept as a feature) and a
  broader 'Unions in ASP.NET Core' section covering Minimal APIs, MVC,
  SignalR, and Blazor, with cross-references to the C#/libraries notes
  (BrennanConroy). Shorter headings (Copilot).
- SignalR: add the client-side WithAuthenticationRefresh API, and a new
  'Cancel hub invocations from the client' section for #64098 (BrennanConroy).
- Community contributors: remove Microsoft/.NET-team affiliated accounts.

Verified every sample against the final Preview 6 SDK (11.0.100-preview.6.26359.118).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danroth27

Copy link
Copy Markdown
Member Author

Pushed an update addressing the review feedback. Summary:

Restructure

  • Renamed Async validation for minimal APIs (+ cross-link to the libraries notes; the sync Validate now throws for async-only types).
  • Split the OpenAPI section into OpenAPI 3.2 by default (kept as a feature) and a broader Unions in ASP.NET Core section (Minimal APIs, MVC/Razor Pages, SignalR, Blazor + gaps + cross-refs).
  • SignalR: added the client-side WithAuthenticationRefresh API, and a new Cancel hub invocations from the client section (#64098).

Re-verified on the final Preview 6 build (11.0.100-preview.6.26359.118) — every feature was rebuilt/run in danroth27/aspnetcore11samples: async validation (incl. the throw change), OpenAPI 3.2 + union anyOf, [ShortCircuit], Virtualize (browser-tested InitialIndex/ScrollToIndexAsync), SignalR auth refresh (client compiles), and hub-invocation cancellation (round-trip: client cancel → server token fires).

Community contributors — vetted all 12 for Microsoft/.NET-team affiliation and removed two:

  • @jesuszarate — company @microsoft (ANCM signing work). Microsoft employee.
  • @Alex-Sob — Akvelon, Inc. (a firm that staffs contractors on the .NET/ASP.NET Core team); the merged PRs are internal analyzer work. Removed as a judgment call — let me know if you'd prefer to keep them.

The other 10 (Xebia, Syncfusion, IBM, Cloudflare, and independents) are external and were kept. @desjoerd and @sheiksyedm are public members of the dotnet org but work for Xebia/Syncfusion (not Microsoft), so I kept them.

Neither is on the .NET product team (per danroth27), so they belong in the
community contributors list even though one is a Microsoft employee (other
team) and one is a vendor contractor.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
Verified each against the final Preview 6 build (26359.118) with samples:
- Automatic cross-origin (CSRF) protection (#66585) — auto-enabled; the
  main feature behind the existing #67082 breaking-change note.
- Configure browser behavior from the server / WithBrowserOptions (#67337).
- EnvironmentView + NavigationManager.GetUriWithFragment (#67369, #67368).
- dotnet user-jwts --file for file-based apps (#66919).
- Bug fixes: WebView Hybrid @rendermode no-op (#65876); QUERY hosting
  metric (#63276).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danroth27

Copy link
Copy Markdown
Member Author

Evaluated the 12 PRs against the final Preview 6 build (11.0.100-preview.6.26359.118), building a sample for each candidate in aspnetcore11samples.

Added (verified in the build):

PR What Added as
#66585 Auto-enabled cross-origin (CSRF) protection via Sec-Fetch-Site/Origin Feature section (this is the feature behind the existing #67082 breaking-change note)
#67337 Configure browser behavior from the server (WithBrowserOptions) Feature section
#67369 EnvironmentView component (env-conditional content) Feature section
#67368 NavigationManager.GetUriWithFragment Folded into the EnvironmentView section
#66919 dotnet user-jwts --file for file-based apps Feature section
#65876 Blazor Hybrid @rendermode no longer throws in WebView Bug fixes
#63276 QUERY added to hosting metrics known methods Bug fixes

Already documented: #66753 (Virtualize), #64098 (hub-invocation cancellation).

Excluded (with reason):

  • #67130 (media components → Microsoft.AspNetCore.Components.Media) — the package only publishes up to 26324; there's no build matching 26359, so it's not cleanly shipping. Recommend holding until the packaging settles.
  • #67037 (Blazor Label/DisplayName) — narrow form helpers, still actively in API review.
  • #66527 (WebApplicationFactory.ConfigureHostApplicationBuilder) — niche integration-testing API.

Two API-shape notes worth flagging (found by building samples, not from PR bodies): CsrfProtectionResult ships as a class with Allowed()/Denied() factory methods (not an enum), and ICsrfProtection exposes ValidateAsync returning ValueTask<CsrfProtectionResult>.

Comment thread release-notes/11.0/preview/preview6/aspnetcore.md Outdated
…ng changes

- Move EnvironmentBoundary->EnvironmentView, GetUriWithHash->GetUriWithFragment,
  browser options reshape, media component move, and the minimal API validation
  resolver split into a new 'Preview API changes' section (migration notes).
- Remove the two Blazor feature sections that re-documented renamed APIs.
- Document automatic cross-origin (CSRF) protection as new functionality (fold
  in the shared-verdict detail from #67082) instead of a breaking change.
- Reference the Preview 1 EnvironmentBoundary notes for the rename.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danroth27

Copy link
Copy Markdown
Member Author

Reframed the Blazor preview API changes per the guidance that preview-to-preview renames aren''t breaking changes (we haven''t shipped these APIs in a stable release yet).

New Preview API changes section (migration notes for upgrading from an earlier .NET 11 preview) replaces the old Breaking changes section:

Removed the two Blazor feature sections that re-documented the renamed APIs — we don''t need to re-document a renamed feature, just note the rename.

Automatic cross-origin (CSRF) protection is now documented purely as new functionality; I folded the shared-verdict detail (dotnet/aspnetcore#67082) into that feature section instead of listing it as a breaking change.

Net result: there is no Breaking changes section this preview — nothing here breaks a shipped-stable API.

⚠️ Media move caveat (dotnet/aspnetcore#67130): the components are removed from Microsoft.AspNetCore.Components.Web in the Preview 6 build (26359.118), but the new Microsoft.AspNetCore.Components.Media package''s earliest published build is 11.0.0-preview.7.26360.111 — there is no matching preview.6 package. I documented it as "removed from Web, moving to a new package" without pointing to a specific PackageReference. Happy to adjust if you''d prefer different handling.

danroth27 and others added 2 commits July 10, 2026 16:11
The Microsoft.AspNetCore.Components.Media package has no matching preview.6
build, so drop the media-components mention for now.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… links

Verified against the .NET 11 Preview 6 source (release/11.0.1xx-preview6) and
the installed 26359.118 build:
- CORS-policy trust for cross-origin callers (the primary upgrade action)
- .DisableAntiforgery() / [IgnoreAntiforgeryToken] per-endpoint opt-out and the
  DisableCsrfProtection global key
- clarify verdict is deferred to form consumers (JSON APIs aren't rejected)
- correct middleware ordering to 'after authentication and authorization'
- link the new conceptual and migration docs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danroth27

Copy link
Copy Markdown
Member Author

Reviewed the Automatic cross-origin (CSRF) protection section against the new draft docs (reference, migration) and improved it. Every claim is verified against the Preview 6 source (release/11.0.1xx-preview6: DefaultCsrfProtection, CsrfProtectionMiddleware, WebApplicationBuilder) and the running 26359.118 build.

What changed:

  • Added the primary upgrade action — allow a trusted cross-origin caller by declaring its origin in a CORS policy. The middleware reuses the endpoint''s CORS policy; AllowAnyOrigin is intentionally not trusted for writes.
  • Added opt-outs.DisableAntiforgery() / [IgnoreAntiforgeryToken] per endpoint, and the DisableCsrfProtection global config key.
  • Clarified deferred enforcement — endpoints that never read a form (e.g. JSON APIs) aren''t rejected.
  • Corrected ordering — "after authentication and authorization" (was "after routing and authentication").
  • Linked the new conceptual + migration docs.

Runtime check against the installed P6 build (curl, Sec-Fetch-Site set manually):

Scenario Result
same-origin form POST 200
cross-site untrusted origin, minimal API [FromForm] 400
cross-site origin trusted via CORS default policy 200
non-browser (no Sec-Fetch-Site/Origin) 200
cross-site untrusted, JSON body (no form read) 200

One nuance worth knowing: reading HttpContext.Request.Form directly is a backstop that throws InvalidOperationException rather than returning a clean 400. The clean 400 comes from framework form consumers (minimal API [FromForm], MVC, Blazor SSR), which is exactly what the note describes.

danroth27 and others added 3 commits July 10, 2026 16:58
Release notes should introduce the feature, not reproduce docs content.
Remove the CORS/opt-out how-to and the doc links (docs may be refactored).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Keep the per-endpoint and global opt-out options and the ICsrfProtection
extension point (verified in the P6 source); drop only the how-to detail and
doc links. Trim the now-redundant opt-out clause from the intro.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Apply BrennanConroy's review suggestions on PR #10456.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@danroth27 danroth27 requested a review from DeagleGross July 11, 2026 00:37

## Async validation for minimal APIs

Minimal API validation now supports asynchronous validators end-to-end ([dotnet/aspnetcore #66487](https://github.com/dotnet/aspnetcore/pull/66487), [dotnet/aspnetcore #67183](https://github.com/dotnet/aspnetcore/pull/67183)). Preview 5 shipped the building blocks for asynchronous form validation in Blazor. Preview 6 adds the new asynchronous `DataAnnotations` APIs in the base libraries — `AsyncValidationAttribute`, `IAsyncValidatableObject`, and `Validator.ValidateObjectAsync` — and `Microsoft.Extensions.Validation` now runs them when an endpoint validates a request. The new base-library APIs are covered in the [.NET libraries release notes](./libraries.md#asynchronous-validation-with-dataannotations).

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fwiw, Validator class isn't used by Microsoft.Extensions.Validation at all. It's only used by Blazor when Microsoft.Extensions.Validation isn't wired up.


Minimal API validation now supports asynchronous validators end-to-end ([dotnet/aspnetcore #66487](https://github.com/dotnet/aspnetcore/pull/66487), [dotnet/aspnetcore #67183](https://github.com/dotnet/aspnetcore/pull/67183)). Preview 5 shipped the building blocks for asynchronous form validation in Blazor. Preview 6 adds the new asynchronous `DataAnnotations` APIs in the base libraries — `AsyncValidationAttribute`, `IAsyncValidatableObject`, and `Validator.ValidateObjectAsync` — and `Microsoft.Extensions.Validation` now runs them when an endpoint validates a request. The new base-library APIs are covered in the [.NET libraries release notes](./libraries.md#asynchronous-validation-with-dataannotations).

This lets a validation rule do real work, such as a database lookup or a remote API call, without blocking a thread. A model implements `IAsyncValidatableObject` and returns validation results as an `IAsyncEnumerable<ValidationResult>`. Because `IAsyncValidatableObject` extends `IValidatableObject`, also implement the synchronous `Validate` method. When a type validates asynchronously only, throw from `Validate` so it isn't silently validated through the synchronous APIs:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this say "isn't silently skipped"?


// IValidatableObject (synchronous) — this type validates asynchronously only.
public IEnumerable<ValidationResult> Validate(ValidationContext context) =>
throw new NotSupportedException("Validate this type with ValidateAsync.");

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs suggest InvalidOperationException instead of NotSupportedException.


## OpenAPI 3.2 by default

Generated OpenAPI documents now target OpenAPI 3.2 by default ([dotnet/aspnetcore #67097](https://github.com/dotnet/aspnetcore/pull/67097), [dotnet/aspnetcore #67007](https://github.com/dotnet/aspnetcore/pull/67007)). OpenAPI 3.2 is the newest version of the specification. Documents continue to generate as before; set the document version explicitly if you need to target an earlier version for tooling that hasn't adopted 3.2 yet.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm having a hard time understanding what "Documents continue to generate as before" means

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pinging @tdykstra for an 👁️ on this suggestion because we're mirroring this language in the PR for ASP.NET Core What's New coverage (dotnet/AspNetCore.Docs #37334).

@Youssef1313 Youssef1313 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for the parts in my areas. Only left few comments.

Also are we intentionally missing dotnet/aspnetcore#66527 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants