diff --git a/aspnetcore/blazor/components/dynamiccomponent.md b/aspnetcore/blazor/components/dynamiccomponent.md
index 1048987a6761..0876bbb61852 100644
--- a/aspnetcore/blazor/components/dynamiccomponent.md
+++ b/aspnetcore/blazor/components/dynamiccomponent.md
@@ -1,11 +1,12 @@
---
title: Dynamically-rendered ASP.NET Core Razor components
+ai-usage: ai-assisted
author: guardrex
description: Learn how to use dynamically-rendered Razor components in Blazor apps.
monikerRange: '>= aspnetcore-6.0'
ms.author: wpickett
ms.custom: mvc
-ms.date: 11/11/2025
+ms.date: 07/13/2026
uid: blazor/components/dynamiccomponent
---
# Dynamically-rendered ASP.NET Core Razor components
@@ -252,6 +253,120 @@ In the following example:
:::moniker-end
+:::moniker range=">= aspnetcore-11.0"
+
+Dictionary values for [C# union-typed parameters](/dotnet/csharp/language-reference/builtin-types/union) must be boxed as the union, not the raw case value, because an implicit conversion is only valid at compile-time.
+
+
+
+> [!NOTE]
+> During the preview of .NET 11, the following example requires the app's project file to specify the "`preview`" C# language version:
+>
+> ```xml
+> preview
+> ```
+
+Consider the following C# union type, `SlotContent`, that accepts text, a , or a :
+
+```csharp
+using Microsoft.AspNetCore.Components;
+
+public union SlotContent(string, MarkupString, RenderFragment);
+```
+
+The following `Slot` component exposes a component parameter typed to the `SlotContent` union and renders the union's content using two implementations of the [C# `switch` expression](/dotnet/csharp/language-reference/operators/switch-expression), one through an assignment to a (`ContentSwitch`) and one via an inline `switch` expression. In the following example, the [`[EditorRequired]` attribute](xref:Microsoft.AspNetCore.Components.EditorRequiredAttribute) specifies that `Content` is a required component parameter at design-time or build-time.
+
+`Slot.razor`:
+
+```razor
+
+
+@code {
+ [Parameter, EditorRequired]
+ public SlotContent Content { get; set; }
+
+ private RenderFragment ContentSwitch() => Content switch
+ {
+ string text => @@text,
+ MarkupString html => @@html,
+ RenderFragment fragment => fragment,
+ _ => @Empty slot!
+ };
+}
+```
+
+The following `SlotExample` component uses the preceding `SlotContent` type and `Slot` component.
+
+`SlotExample.razor`:
+
+```razor
+@page "/slot-example"
+
+
Plain text
+
+
+
+
MarkupString
+
+
+
+
RenderFragment
+
+
+
+@code {
+ private SlotContent content;
+
+ protected override void OnInitialized()
+ {
+ content = new SlotContent((RenderFragment)(b =>
+ {
+ b.OpenElement(0, "button");
+ b.AddAttribute(1, "onclick", EventCallback.Factory.Create(this, Increment));
+ b.AddContent(2, "Count: ");
+ b.AddContent(3, currentCount);
+ b.CloseElement();
+ }));
+ }
+
+ private int currentCount = 0;
+
+ private void Increment() => currentCount++;
+}
+```
+
+
+
+The string-literal shortcut applies only to parameters declared as `string`. A parameter declared as a C# union type, even one whose cases include `string`, isn't a `string`-typed parameter, so the attribute value must be a C# expression. Use the `@` prefix, as demonstrated by `Content="@("Simple plain text slot")"` in the preceding example.
+
+
+
+For more information, see [Explore union types in C# 15](https://devblogs.microsoft.com/dotnet/csharp-15-union-types/).
+
+:::moniker-end
+
## Route parameters
Components can specify route parameters in the route template of the [`@page`][9] directive. The [Blazor router](xref:blazor/fundamentals/routing) uses route parameters to populate corresponding component parameters.
diff --git a/aspnetcore/blazor/components/virtualization.md b/aspnetcore/blazor/components/virtualization.md
index 0e5b1cc8b1e0..45e2bb8bc343 100644
--- a/aspnetcore/blazor/components/virtualization.md
+++ b/aspnetcore/blazor/components/virtualization.md
@@ -5,7 +5,7 @@ description: Learn how to use component virtualization in ASP.NET Core Blazor ap
monikerRange: '>= aspnetcore-5.0'
ms.author: wpickett
ms.custom: mvc
-ms.date: 11/11/2025
+ms.date: 07/13/2026
uid: blazor/components/virtualization
---
# ASP.NET Core Razor component virtualization
@@ -472,3 +472,16 @@ In the preceding example, the document root is used as the scroll container, so
*
:::moniker-end
+
+:::moniker range=">= aspnetcore-7.0"
+
+## Content Security Policy (CSP) compliance
+
+The `Virtualize` component renders dynamic inline `style` attributes on its spacer and placeholder elements because spacer heights are calculated at runtime based on scroll position, item count, and average item size, which change on every scroll interaction.
+
+To avoid CSP violations, `Virtualize` components:
+
+* Render CSS styles in a `data-blazor-style` attribute instead of a `style` attribute.
+* Use a JS [`MutationObserver`](https://developer.mozilla.org/docs/Web/API/MutationObserver) to read the attribute's value and apply each declaration via the [CSS Object Model (CSSOM)](https://developer.mozilla.org/docs/Web/API/CSS_Object_Model): `element.style.setProperty(name, value)`.
+
+:::moniker-end
diff --git a/aspnetcore/blazor/forms/index.md b/aspnetcore/blazor/forms/index.md
index e99e60f1ffb7..a5572f8b563f 100644
--- a/aspnetcore/blazor/forms/index.md
+++ b/aspnetcore/blazor/forms/index.md
@@ -289,8 +289,29 @@ There's no need to call is called in the `Program` file.
+:::moniker-end
+
+:::moniker range=">= aspnetcore-11.0"
+
+Automatic Cross-Site Request Forgery (CSRF) Protection Middleware is enabled by default in apps built with `WebApplication.CreateBuilder`. The middleware inspects the `Sec-Fetch-Site` and `Origin` headers on unsafe HTTP methods and records a validation verdict on the request. Blazor server-side rendering (SSR) form posts enforce that verdict and return `400 Bad Request` for cross-origin form posts that aren't trusted.
+
+If the app explicitly adds Antiforgery Middleware by calling in its request processing pipeline in the `Program` file, is called after the call to . If there are calls to and , the call to must go between them. A call to must be placed after calls to and .
+
+For more information, see .
+
+> [!IMPORTANT]
+> The following guidance on the component and the service only apply to an app that explicitly adopts token-based Antiforgery Middleware by calling in its request processing pipeline.
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-8.0 < aspnetcore-11.0"
+
The app uses Antiforgery Middleware by calling in its request processing pipeline in the `Program` file. is called after the call to . If there are calls to and , the call to must go between them. A call to must be placed after calls to and .
+:::moniker-end
+
+:::moniker range=">= aspnetcore-8.0"
+
The component renders an antiforgery token as a hidden field, and the `[RequireAntiforgeryToken]` attribute enables antiforgery protection. If an antiforgery check fails, a [`400 - Bad Request`](https://developer.mozilla.org/docs/Web/HTTP/Status/400) response is thrown and the form isn't processed.
For forms based on , the component and `[RequireAntiforgeryToken]` attribute are automatically added to provide antiforgery protection.
diff --git a/aspnetcore/blazor/fundamentals/environments.md b/aspnetcore/blazor/fundamentals/environments.md
index 479b23872d45..d4590459e255 100644
--- a/aspnetcore/blazor/fundamentals/environments.md
+++ b/aspnetcore/blazor/fundamentals/environments.md
@@ -291,30 +291,30 @@ App settings from the `appsettings.{ENVIRONMENT}.json` file are loaded by the ap
:::moniker range=">= aspnetcore-11.0"
-## `EnvironmentBoundary` component
+## `EnvironmentView` component
-Use the `EnvironmentBoundary` component for conditional rendering based on the hosting environment. This component provides a consistent way to render content based on the current environment across both server-side and client-side hosting models.
+Use the `EnvironmentView` component for conditional rendering based on the hosting environment. This component provides a consistent way to render content based on the current environment across both server-side and client-side hosting models.
-The `EnvironmentBoundary` component accepts `Include` and `Exclude` parameters for specifying environment names. The component performs case-insensitive matching.
+The `EnvironmentView` component accepts `Include` and `Exclude` parameters for specifying environment names. The component performs case-insensitive matching.
```razor
@using Microsoft.AspNetCore.Components.Web
-
+
Debug mode enabled
-
+
-
+
Pre-production environment
-
+
-
+
@DateTime.Now
-
+
```
:::moniker-end
diff --git a/aspnetcore/blazor/fundamentals/navigation.md b/aspnetcore/blazor/fundamentals/navigation.md
index 34c9f61099cc..39abdb6ed901 100644
--- a/aspnetcore/blazor/fundamentals/navigation.md
+++ b/aspnetcore/blazor/fundamentals/navigation.md
@@ -855,7 +855,7 @@ The correct culture-invariant formatting is applied for the given type ( [!NOTE]
-> [C# union types](/dotnet/csharp/whats-new/csharp-14#union-types) aren't supported by `[SupplyParameterFromQuery]` or `[SupplyParameterFromForm]`, which bind string or form values without JSON parsing.
+> [C# union types](/dotnet/csharp/language-reference/builtin-types/union) aren't supported by `[SupplyParameterFromQuery]` or `[SupplyParameterFromForm]`, which bind string or form values without JSON parsing.
:::moniker-end
@@ -1182,7 +1182,7 @@ For more information on JavaScript isolation with JavaScript modules, see
-Use the `GetUriWithHash` extension method to construct a URI with a hash fragment. This helper method provides an efficient, zero-allocation way to append hash fragments to the current URI. The following example demonstrates two use cases:
+Use the `GetUriWithFragment` extension method to construct a URI with a hash fragment. This helper method provides an efficient, zero-allocation way to append hash fragments to the current URI. The following example demonstrates two use cases:
* Inline call that jumps to Section 1 (`id="section-1"`) of the rendered page.
* Method call that receives a section identifier (`sectionId`) and navigates to the section of the page.
@@ -1190,14 +1190,14 @@ Use the `GetUriWithHash` extension method to construct a URI with a hash fragmen
```razor
@inject NavigationManager Navigation
-
+
Jump to Section 1
@code {
private void NavigateToSection(string sectionId)
{
- var uri = Navigation.GetUriWithHash(sectionId);
+ var uri = Navigation.GetUriWithFragment(sectionId);
Navigation.NavigateTo(uri);
}
}
diff --git a/aspnetcore/blazor/fundamentals/routing.md b/aspnetcore/blazor/fundamentals/routing.md
index 81c720f9f1cf..f7f0b0bab23c 100644
--- a/aspnetcore/blazor/fundamentals/routing.md
+++ b/aspnetcore/blazor/fundamentals/routing.md
@@ -362,7 +362,7 @@ When the [`OnInitialized{Async}` lifecycle method](xref:blazor/components/lifecy
:::moniker range=">= aspnetcore-11.0"
> [!NOTE]
-> Route parameters can't be typed as a [C# union](/dotnet/csharp/whats-new/csharp-14#union-types). The router parses route segments as strings and converts them to the target type without JSON parsing, so it can't dispatch to a union case.
+> Route parameters can't be typed as a [C# union](/dotnet/csharp/language-reference/builtin-types/union). The router parses route segments as strings and converts them to the target type without JSON parsing, so it can't dispatch to a union case.
:::moniker-end
diff --git a/aspnetcore/blazor/fundamentals/startup.md b/aspnetcore/blazor/fundamentals/startup.md
index e5144de1ab7e..1f07ce9f3743 100644
--- a/aspnetcore/blazor/fundamentals/startup.md
+++ b/aspnetcore/blazor/fundamentals/startup.md
@@ -5,7 +5,7 @@ description: Learn how to configure Blazor startup.
monikerRange: '>= aspnetcore-3.1'
ms.author: wpickett
ms.custom: mvc
-ms.date: 11/11/2025
+ms.date: 07/13/2026
uid: blazor/fundamentals/startup
---
# ASP.NET Core Blazor startup
@@ -1067,6 +1067,27 @@ Standalone Blazor WebAssembly:
*This section applies to Blazor Web Apps.*
+:::moniker-end
+
+:::moniker range=">= aspnetcore-11.0"
+
+To disable [enhanced navigation and form handling](xref:blazor/fundamentals/navigation#enhanced-navigation-and-form-handling), set `preserveDom` to `false` for `Blazor.start`:
+
+```html
+
+
+```
+
+**In the preceding example, the `{BLAZOR SCRIPT}` placeholder is the Blazor script path and file name.** For the location of the script, see .
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-8.0 < aspnetcore-11.0"
+
To disable [enhanced navigation and form handling](xref:blazor/fundamentals/navigation#enhanced-navigation-and-form-handling), set `disableDomPreservation` to `true` for `Blazor.start`:
```html
diff --git a/aspnetcore/blazor/fundamentals/static-files.md b/aspnetcore/blazor/fundamentals/static-files.md
index 016e972957c8..253f4ed7c783 100644
--- a/aspnetcore/blazor/fundamentals/static-files.md
+++ b/aspnetcore/blazor/fundamentals/static-files.md
@@ -44,6 +44,13 @@ In standalone Blazor WebAssembly apps, framework assets are scheduled for high p
:::moniker-end
+:::moniker range=">= aspnetcore-11.0"
+
+> [!NOTE]
+> Blazor Web App enhanced navigation doesn't attempt to preload resources in .NET 11 or later. For more information, see [Blazor enhanced navigation no longer preloads resources](/aspnet/core/breaking-changes/11/blazor-enhanced-nav-preloading-disabled).
+
+:::moniker-end
+
## Static asset delivery in server-side Blazor apps
:::moniker range=">= aspnetcore-9.0"
diff --git a/aspnetcore/blazor/javascript-interoperability/call-dotnet-from-javascript.md b/aspnetcore/blazor/javascript-interoperability/call-dotnet-from-javascript.md
index 0a9c015c88e3..64ac11a14944 100644
--- a/aspnetcore/blazor/javascript-interoperability/call-dotnet-from-javascript.md
+++ b/aspnetcore/blazor/javascript-interoperability/call-dotnet-from-javascript.md
@@ -5,7 +5,7 @@ description: Learn how to invoke .NET methods from JavaScript functions in Blazo
monikerRange: '>= aspnetcore-3.1'
ms.author: wpickett
ms.custom: mvc, sfi-ropc-nochange
-ms.date: 11/11/2025
+ms.date: 07/13/2026
uid: blazor/js-interop/call-dotnet-from-javascript
---
# Call .NET methods from JavaScript functions in ASP.NET Core Blazor
@@ -22,6 +22,16 @@ This article explains how to invoke .NET methods from JavaScript (JS).
For information on how to call JS functions from .NET, see .
+:::moniker range=">= aspnetcore-11.0"
+
+
+
+> [!NOTE]
+> [C# union types](/dotnet/csharp/language-reference/builtin-types/union) are supported.
+
+:::moniker-end
+
## Invoke a static .NET method
To invoke a static .NET method from JavaScript (JS), use the JS functions:
diff --git a/aspnetcore/blazor/javascript-interoperability/call-javascript-from-dotnet.md b/aspnetcore/blazor/javascript-interoperability/call-javascript-from-dotnet.md
index c4db66c6f5c2..7c8f67012676 100644
--- a/aspnetcore/blazor/javascript-interoperability/call-javascript-from-dotnet.md
+++ b/aspnetcore/blazor/javascript-interoperability/call-javascript-from-dotnet.md
@@ -5,7 +5,7 @@ description: Learn how to invoke JavaScript functions from .NET methods in Blazo
monikerRange: '>= aspnetcore-3.1'
ms.author: wpickett
ms.custom: mvc, sfi-ropc-nochange
-ms.date: 11/11/2025
+ms.date: 07/13/2026
uid: blazor/js-interop/call-javascript-from-dotnet
---
# Call JavaScript functions from .NET methods in ASP.NET Core Blazor
@@ -26,12 +26,28 @@ For information on how to call .NET methods from JS, see is explicitly called in the `Program` file, token-based antiforgery services are added to the app. is called after . A call to must be placed after calls, if present, to and .
+
+For more information, see .
+
+> [!IMPORTANT]
+> The following guidance on the component and the service only apply to an app that explicitly adopts token-based Antiforgery Middleware by calling in its request processing pipeline.
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-8.0 < aspnetcore-11.0"
* Adds antiforgery services automatically when is called in the `Program` file.
* Adds Antiforgery Middleware by calling in its request processing pipeline in the `Program` file and requires endpoint [antiforgery protection](xref:security/anti-request-forgery) to mitigate the threats of Cross-Site Request Forgery (CSRF/XSRF). is called after . A call to must be placed after calls, if present, to and .
+:::moniker-end
+
+:::moniker range=">= aspnetcore-8.0"
+
The component renders an antiforgery token as a hidden field, and this component is automatically added to form () instances. For more information, see .
The service provides access to an antiforgery token associated with the current session. Inject the service and call its method to obtain the current . For more information, see .
diff --git a/aspnetcore/blazor/state-management/prerendered-state-persistence.md b/aspnetcore/blazor/state-management/prerendered-state-persistence.md
index 37092ac02327..6d22c4fae623 100644
--- a/aspnetcore/blazor/state-management/prerendered-state-persistence.md
+++ b/aspnetcore/blazor/state-management/prerendered-state-persistence.md
@@ -6,7 +6,7 @@ description: Learn how to persist user data (state) in Blazor apps using Blazor'
monikerRange: '>= aspnetcore-8.0'
ms.author: wpickett
ms.custom: mvc
-ms.date: 11/11/2025
+ms.date: 07/13/2026
uid: blazor/state-management/prerendered-state-persistence
---
# ASP.NET Core Blazor prerendered state persistence
@@ -143,6 +143,17 @@ In the following example that serializes state for multiple components of the sa
}
```
+:::moniker-end
+
+:::moniker range=">= aspnetcore-11.0"
+
+> [!NOTE]
+> A user-configured doesn't flow into [C# union](/dotnet/csharp/language-reference/builtin-types/union) deserialization. Instead, use `[JsonUnion(TypeClassifier = typeof({TYPE CLASSIFIER}))]`, where the `{TYPE CLASSIFIER}` placeholder is the type classifier.
+
+:::moniker-end
+
+:::moniker range=">= aspnetcore-10.0"
+
## Serialize state for services
In the following example that serializes state for a dependency injection service:
diff --git a/aspnetcore/breaking-changes/11/blazor-enhanced-nav-preloading-disabled.md b/aspnetcore/breaking-changes/11/blazor-enhanced-nav-preloading-disabled.md
index 1a8e09b9e57e..510542d905dd 100644
--- a/aspnetcore/breaking-changes/11/blazor-enhanced-nav-preloading-disabled.md
+++ b/aspnetcore/breaking-changes/11/blazor-enhanced-nav-preloading-disabled.md
@@ -30,7 +30,9 @@ This change is a [behavioral change](/dotnet/core/compatibility/categories#behav
## Reason for change
-The implicit preload hints during enhanced navigation produced redundant browser preload requests because the WebAssembly runtime doesn't restart and the DOM-merge step often produced an unstable order of `` elements. Removing the hints for enhanced navigation gives more predictable network behavior. For more information, see [dotnet/aspnetcore#63544](https://github.com/dotnet/aspnetcore/pull/63544).
+The implicit preload hints during enhanced navigation produced redundant browser preload requests because the WebAssembly runtime doesn't restart and the DOM-merge step often produced an unstable order of `` elements. Removing the hints for enhanced navigation gives more predictable network behavior.
+
+For more information, see [[Blazor] Disable preloading for enhanced navigation (`dotnet/aspnetcore` #63544)](https://github.com/dotnet/aspnetcore/pull/63544), and please don't comment on the closed PR. If you have feedback on this change, open a new issue on the `dotnet/aspnetcore` GitHub repository.
## Recommended action
diff --git a/aspnetcore/fundamentals/middleware/request-decompression.md b/aspnetcore/fundamentals/middleware/request-decompression.md
index 95c0187ce960..4332283dcd2a 100644
--- a/aspnetcore/fundamentals/middleware/request-decompression.md
+++ b/aspnetcore/fundamentals/middleware/request-decompression.md
@@ -58,7 +58,7 @@ The `Content-Encoding` header values that the request decompression middleware s
:::moniker range=">= aspnetcore-7.0 < aspnetcore-11.0"
-| [`Content-Encoding`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding) header values | Description |
+| [`Content-Encoding`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Encoding) header values | Description |
| --------- | --------- |
| `br` | [Brotli compressed data format](https://tools.ietf.org/html/rfc7932) |
| `deflate` | [DEFLATE compressed data format](https://tools.ietf.org/html/rfc1951) |
@@ -68,7 +68,7 @@ The `Content-Encoding` header values that the request decompression middleware s
:::moniker range=">= aspnetcore-11.0"
-| [`Content-Encoding`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding) header values | Description |
+| [`Content-Encoding`](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Encoding) header values | Description |
| --------- | --------- |
| `br` | [Brotli compressed data format](https://tools.ietf.org/html/rfc7932) |
| `deflate` | [DEFLATE compressed data format](https://tools.ietf.org/html/rfc1951) |
@@ -112,7 +112,7 @@ In order of precedence, the maximum request size for an endpoint is set by:
## Additional Resources
*
-* [Mozilla Developer Network: Content-Encoding](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding)
+* [Mozilla Developer Network: Content-Encoding](https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Encoding)
* [Brotli Compressed Data Format](https://www.rfc-editor.org/rfc/rfc7932)
* [DEFLATE Compressed Data Format Specification version 1.3](https://www.rfc-editor.org/rfc/rfc1951)
* [GZIP file format specification version 4.3](https://www.rfc-editor.org/rfc/rfc1952)
diff --git a/aspnetcore/fundamentals/minimal-apis/includes/parameter-binding8-10.md b/aspnetcore/fundamentals/minimal-apis/includes/parameter-binding8-10.md
index ec845eae656c..719a60357370 100644
--- a/aspnetcore/fundamentals/minimal-apis/includes/parameter-binding8-10.md
+++ b/aspnetcore/fundamentals/minimal-apis/includes/parameter-binding8-10.md
@@ -17,7 +17,7 @@ Supported binding sources:
:::moniker range=">= aspnetcore-11.0"
> [!NOTE]
-> [C# union types](/dotnet/csharp/whats-new/csharp-14#union-types) are supported only as the body (as JSON). Non-body sources—route values, query string, headers, and form values—bind string values without JSON parsing, so they can't dispatch to a union case.
+> [C# union types](/dotnet/csharp/language-reference/builtin-types/union) are supported only as the body (as JSON). Non-body sources—route values, query string, headers, and form values—bind string values without JSON parsing, so they can't dispatch to a union case.
:::moniker-end
diff --git a/aspnetcore/fundamentals/url-rewriting.md b/aspnetcore/fundamentals/url-rewriting.md
index 769699b32443..9ac083d9cb19 100644
--- a/aspnetcore/fundamentals/url-rewriting.md
+++ b/aspnetcore/fundamentals/url-rewriting.md
@@ -44,7 +44,7 @@ When redirecting requests to a different URL, indicate whether the redirect is p
* The [`301 - Moved Permanently`](https://developer.mozilla.org/docs/Web/HTTP/Status/301) status code is used where the resource has a new, permanent URL and that all future requests for the resource should use the new URL. *The client may cache and reuse the response when a 301 status code is received.*
-* The [`302 - Found`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302) status code is used where the redirection is temporary or generally subject to change. The 302 status code indicates to the client not to store the URL and use it in the future.
+* The [`302 - Found`](https://developer.mozilla.org/docs/Web/HTTP/Status/302) status code is used where the redirection is temporary or generally subject to change. The 302 status code indicates to the client not to store the URL and use it in the future.
For more information on status codes, see [RFC 9110: Status Code Definitions](https://www.rfc-editor.org/rfc/rfc9110#name-status-codes).
diff --git a/aspnetcore/includes/problem-details-service.md b/aspnetcore/includes/problem-details-service.md
index 8adfde44015a..ef4b77168ae6 100644
--- a/aspnetcore/includes/problem-details-service.md
+++ b/aspnetcore/includes/problem-details-service.md
@@ -2,7 +2,7 @@
The problem details service implements the interface, which supports creating problem details in ASP.NET Core. The extension method on registers the default `IProblemDetailsService` implementation.
-In ASP.NET Core apps, the following middleware generates problem details HTTP responses when `AddProblemDetails` is called, except when the [`Accept` request HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept) doesn't include one of the content types supported by the registered (default: `application/json`):
+In ASP.NET Core apps, the following middleware generates problem details HTTP responses when `AddProblemDetails` is called, except when the [`Accept` request HTTP header](https://developer.mozilla.org/docs/Web/HTTP/Headers/Accept) doesn't include one of the content types supported by the registered (default: `application/json`):
* : Generates a problem details response when a custom handler is not defined.
* : Generates a problem details response by default.
diff --git a/aspnetcore/mvc/models/model-binding.md b/aspnetcore/mvc/models/model-binding.md
index 11026bcfd83c..089908def98e 100644
--- a/aspnetcore/mvc/models/model-binding.md
+++ b/aspnetcore/mvc/models/model-binding.md
@@ -112,7 +112,7 @@ If the default source is not correct, use one of the following attributes to spe
:::moniker range=">= aspnetcore-11.0"
> [!NOTE]
-> [C# union types](/dotnet/csharp/whats-new/csharp-14#union-types) are supported only with `[FromBody]`. The other binding sources—`[FromQuery]`, `[FromRoute]`, `[FromForm]`, and `[FromHeader]`—bind string values without JSON parsing, so they can't dispatch to a union case.
+> [C# union types](/dotnet/csharp/language-reference/builtin-types/union) are supported only with `[FromBody]`. The other binding sources—`[FromQuery]`, `[FromRoute]`, `[FromForm]`, and `[FromHeader]`—bind string values without JSON parsing, so they can't dispatch to a union case.
:::moniker-end
diff --git a/aspnetcore/performance/response-compression.md b/aspnetcore/performance/response-compression.md
index 7c739b046eb2..7077d357354c 100644
--- a/aspnetcore/performance/response-compression.md
+++ b/aspnetcore/performance/response-compression.md
@@ -251,7 +251,7 @@ Replace or append MIME types with the [ResponseCompressionOptions.MimeTypes](xre
## Add the Vary header
-When responses are compressed based on the [Accept-Encoding request header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept-Encoding), there can be uncompressed and multiple compressed versions of the response. To instruct client and proxy caches that multiple versions exist and should be stored, the `Vary` header is added with an `Accept-Encoding` value. The response middleware [adds the 'Vary' header](https://github.com/dotnet/aspnetcore/blob/main/src/Middleware/ResponseCompression/src/ResponseCompressionBody.cs#L198-L241) in the _ResponseCompressionBody.cs_ file automatically when the response is compressed.
+When responses are compressed based on the [Accept-Encoding request header](https://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/Accept-Encoding), there can be uncompressed and multiple compressed versions of the response. To instruct client and proxy caches that multiple versions exist and should be stored, the `Vary` header is added with an `Accept-Encoding` value. The response middleware [adds the 'Vary' header](https://github.com/dotnet/aspnetcore/blob/main/src/Middleware/ResponseCompression/src/ResponseCompressionBody.cs#L198-L241) in the _ResponseCompressionBody.cs_ file automatically when the response is compressed.
[!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)]
diff --git a/aspnetcore/release-notes/aspnetcore-10/includes/blazor.md b/aspnetcore/release-notes/aspnetcore-10/includes/blazor.md
index 99f476139e52..15c5512a0224 100644
--- a/aspnetcore/release-notes/aspnetcore-10/includes/blazor.md
+++ b/aspnetcore/release-notes/aspnetcore-10/includes/blazor.md
@@ -231,6 +231,13 @@ In standalone Blazor WebAssembly apps, framework assets are scheduled for high p
For more information, see .
+:::moniker range=">= aspnetcore-11.0"
+
+> [!NOTE]
+> This feature is disabled for Blazor Web App enhanced navigation in .NET 11 or later. For more information, see [Blazor enhanced navigation no longer preloads resources](/aspnet/core/breaking-changes/11/blazor-enhanced-nav-preloading-disabled).
+
+:::moniker-end
+
### Set the environment in standalone Blazor WebAssembly apps
The `Blazor-Environment` header and `Properties/launchSettings.json` file (`ASPNETCORE_ENVIRONMENT` environment variable) are no longer used to control the environment in standalone Blazor WebAssembly apps.
diff --git a/aspnetcore/release-notes/aspnetcore-11/includes/blazor.md b/aspnetcore/release-notes/aspnetcore-11/includes/blazor.md
index a9bc3283889d..ca791035cab1 100644
--- a/aspnetcore/release-notes/aspnetcore-11/includes/blazor.md
+++ b/aspnetcore/release-notes/aspnetcore-11/includes/blazor.md
@@ -171,6 +171,15 @@ For more information, see the following resources:
*
* [[release/11.0-preview4] Virtualization AnchorMode with variable-height support (`dotnet/aspnetcore` #66521)](https://github.com/dotnet/aspnetcore/pull/66521) (Please don't comment on closed issues and PRs.)
+* Content Security Policy (CSP) compliance
+
+ The `Virtualize` component renders dynamic inline `style` attributes on its spacer and placeholder elements (for example, `style="height: 478896px; flex-shrink: 0;"`) because spacer heights are calculated at runtime based on scroll position, item count, and average item size, which change on every scroll interaction. These are blocked by a Content Security Policy (CSP) when `style-src 'self'` is set, breaking virtualization entirely for apps with strict CSP policies.
+
+ Now, CSP violations are avoided because `Virtualize` components:
+
+ * Render CSS styles in a `data-blazor-style` attribute instead of a `style` attribute.
+ * Use a JS [`MutationObserver`](https://developer.mozilla.org/docs/Web/API/MutationObserver) to read the attribute's value and apply each declaration via the [CSS Object Model (CSSOM)](https://developer.mozilla.org/docs/Web/API/CSS_Object_Model): `element.style.setProperty(name, value)`.
+
### New service defaults library project template for Blazor WebAssembly apps
The `blazor-wasm-servicedefaults` project template creates a service defaults library for Blazor WebAssembly apps with [Aspire](/dotnet/aspire/get-started/aspire-overview) integration. For more information, see .
@@ -405,9 +414,9 @@ public string? FlashMessage { get; set; }
For more information, see .
-### `GetUriWithHash` extension method
+### `GetUriWithFragment` extension method
-A new `GetUriWithHash` extension method permits `NavigationManager` to easily construct URIs with hash fragments. This helper method provides an efficient, zero-allocation way to append hash fragments to the current URI. The following example demonstrates two use cases:
+A new `GetUriWithFragment` extension method permits `NavigationManager` to easily construct URIs with hash fragments. This helper method provides an efficient, zero-allocation way to append hash fragments to the current URI. The following example demonstrates two use cases:
* Inline call that jumps to Section 1 (`id="section-1"`) of the rendered page.
* Method call that receives a section Id (`sectionId`) and navigates to the section of the page.
@@ -415,14 +424,14 @@ A new `GetUriWithHash` extension method permits `NavigationManager` to easily co
```razor
@inject NavigationManager Navigation
-
+
Jump to Section 1
@code {
private void NavigateToSection(string sectionId)
{
- var uri = Navigation.GetUriWithHash(sectionId);
+ var uri = Navigation.GetUriWithFragment(sectionId);
Navigation.NavigateTo(uri);
}
}
@@ -430,28 +439,28 @@ A new `GetUriWithHash` extension method permits `NavigationManager` to easily co
The method uses `string.Create` for optimal performance and works correctly with non-root base URIs (for example, when using ``).
-### `EnvironmentBoundary` component
+### `EnvironmentView` component
-Blazor now includes a built-in `EnvironmentBoundary` component for conditional rendering based on the hosting environment. This component provides a consistent way to render content based on the current environment across both server-side and client-side hosting models.
+Blazor now includes a built-in `EnvironmentView` component for conditional rendering based on the hosting environment. This component provides a consistent way to render content based on the current environment across both server-side and client-side hosting models.
-The `EnvironmentBoundary` component accepts `Include` and `Exclude` parameters for specifying environment names. The component performs case-insensitive matching and follows the same semantics as MVC's `EnvironmentTagHelper`.
+The `EnvironmentView` component accepts `Include` and `Exclude` parameters for specifying environment names. The component performs case-insensitive matching and follows the same semantics as MVC's `EnvironmentTagHelper`.
```razor
@using Microsoft.AspNetCore.Components.Web
-
+
Debug mode enabled
-
+
-
+
Pre-production environment
-
+
-
+
@DateTime.Now
-
+
```
### MathML namespace support
@@ -679,7 +688,7 @@ For more information, see [Add built-in support for async form validation in Bla
Please don't comment on closed issues and PRs. If you have feedback on this feature, please open a new issue on the `dotnet/aspnetcore` GitHub repository.
-## Blazor and Minimal APIs support error localization
+### Blazor and Minimal APIs support error localization
Validation of Blazor forms and Minimal API endpoints receives first-class support for localization of error messages and property names. By default, localization uses language-specific RESX files deployed as part of the assembly.
@@ -738,3 +747,18 @@ Complete feature coverage is available in the following articles:
For more information, see [Add localization support to Microsoft.Extensions.Validation (`dotnet/aspnetcore` #66646)](https://github.com/dotnet/aspnetcore/pull/66646).
Please don't comment on closed issues and PRs. If you have feedback on this feature, please open a new issue on the `dotnet/aspnetcore` GitHub repository.
+
+### Fixes to TempData and `[SupplyParameterFromSession]` persistence for streaming SSR
+
+When a page uses session-backed features, where a component has a `[SupplyParameterFromSession]` parameter (which creates a subscription) or the session-storage TempData provider is active, the session cookie (`.AspNetCore.Session`) is now issued before streaming begins, even if no value is ultimately written. Pages that don't use session-backed features are unaffected.
+
+For more information, see [Fix TempData and SupplyParameterFromSession persistence for streaming SSR case (`dotnet/aspnetcore` #66832)](https://github.com/dotnet/aspnetcore/pull/66832). (Please don't comment on closed issues and PRs.)
+
+### Redundant `app.UseAntiforgery()` removed from Blazor Web templates
+
+[CSRF protection](xref:security/csrf-protection) is enabled by default via the auto-injected CSRF Protection Middleware, so the explicit `app.UseAntiforgery()` call in Blazor Web App templates has been removed.
+
+For more information, see the following resources:
+
+*
+* [Blazor server-side rendering defers antiforgery validation to middleware (breaking change announcement)](/aspnet/core/breaking-changes/11/blazor-server-side-rendering-deferred-cross-site-request-forgery-protection)
diff --git a/aspnetcore/release-notes/aspnetcore-11/includes/csharp-unions-preview-6.md b/aspnetcore/release-notes/aspnetcore-11/includes/csharp-unions-preview-6.md
index 177e6a4fce50..db6a9dea622f 100644
--- a/aspnetcore/release-notes/aspnetcore-11/includes/csharp-unions-preview-6.md
+++ b/aspnetcore/release-notes/aspnetcore-11/includes/csharp-unions-preview-6.md
@@ -1,6 +1,6 @@
### C# union types
-ASP.NET Core supports [C# union types](/dotnet/csharp/whats-new/csharp-14#union-types) (new in .NET 11) anywhere [`System.Text.Json`](/dotnet/standard/serialization/system-text-json/overview) is used: JSON request and response bodies in Minimal APIs and MVC, SignalR's `JsonHubProtocol`, Blazor JavaScript interop, persistent component state, and prerendered component parameters.
+ASP.NET Core supports [C# union types](/dotnet/csharp/whats-new/csharp-15#union-types) ([C# language reference](/dotnet/csharp/language-reference/builtin-types/union)), which are new in .NET 11, anywhere [`System.Text.Json`](/dotnet/standard/serialization/system-text-json/overview) is used: JSON request and response bodies in Minimal APIs and MVC, SignalR's `JsonHubProtocol`, Blazor JavaScript interop, persistent component state, and prerendered component parameters.
```csharp
public union UnionIntString(int, string);
@@ -8,4 +8,6 @@ public union UnionIntString(int, string);
app.MapGet("/value", () => new UnionIntString(42));
```
-Union types aren't supported for non-body binding sources such as route values, query strings, headers, and form fields.
\ No newline at end of file
+Union types aren't supported for non-body binding sources such as route values, query strings, headers, and form fields.
+
+For examples and additional information that apply to Blazor apps, see the [Component parameters section in the Components overview article](xref:blazor/components/index#component-parameters) and the [Pass parameters section of the Dynamically-rendered ASP.NET Core Razor components article](xref:blazor/components/dynamiccomponent).
diff --git a/aspnetcore/security/authentication/configure-jwt-bearer-authentication.md b/aspnetcore/security/authentication/configure-jwt-bearer-authentication.md
index ee30f5e5f19c..6190aad940a9 100644
--- a/aspnetcore/security/authentication/configure-jwt-bearer-authentication.md
+++ b/aspnetcore/security/authentication/configure-jwt-bearer-authentication.md
@@ -97,7 +97,7 @@ The [OAuth specifications](/entra/identity-platform/access-token-claims-referenc
### 403 Forbidden
-A [403 Forbidden](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403) response typically indicates that the authenticated user lacks the necessary permissions to access the requested resource. This is distinct from authentication issues, e.g. an invalid token, and is unrelated to the standard claims within the access token.
+A [403 Forbidden](https://developer.mozilla.org/docs/Web/HTTP/Status/403) response typically indicates that the authenticated user lacks the necessary permissions to access the requested resource. This is distinct from authentication issues, e.g. an invalid token, and is unrelated to the standard claims within the access token.
In ASP.NET Core, you can enforce authorization using:
diff --git a/aspnetcore/signalr/hubs.md b/aspnetcore/signalr/hubs.md
index 1234dd2990b8..4c98120d0148 100644
--- a/aspnetcore/signalr/hubs.md
+++ b/aspnetcore/signalr/hubs.md
@@ -50,7 +50,7 @@ Create a hub by declaring a class that inherits from [!NOTE]
-> Hub method parameters, return values, and stream items can be [C# union types](/dotnet/csharp/whats-new/csharp-14#union-types) only with the default `JsonHubProtocol`. The MessagePack and Newtonsoft.Json hub protocols don't support unions.
+> Hub method parameters, return values, and stream items can be [C# union types](/dotnet/csharp/language-reference/builtin-types/union) only with the default `JsonHubProtocol`. The MessagePack and Newtonsoft.Json hub protocols don't support unions.
:::moniker-end