public async Task Invoke(HttpContext context) { if (_scriptOptions.AllowWhen != null && !_scriptOptions.AllowWhen(context, _serviceProvider)) { context.Response.StatusCode = (int)HttpStatusCode.Forbidden; return; } if (context.Request.Method != HttpMethods.Get) { context.Response.StatusCode = (int)HttpStatusCode.MethodNotAllowed; return; } var tokenSet = _antiforgery.GetTokens(context); if (!string.IsNullOrEmpty(tokenSet.CookieToken)) { var cookieOp = _antiforgeryOptions.Value.Cookie.Build(context); context.Response.Cookies.Append(_antiforgeryOptions.Value.Cookie.Name, tokenSet.CookieToken, cookieOp); } context.Response.ContentType = "application/javascript; charset=utf-8"; context.Response.Headers["Cache-control"] = "no-store"; context.Response.Headers["Pragma"] = "no-cache"; // writes the hidden token field if on a page with same origin as script var bodyScript = $@"(function appendToken(){{ if(window.location.origin==='{GetOrigin(context.Request)}'){{ if(document.body){{ var input = document.createElement('input') input.setAttribute('type', 'hidden') input.setAttribute('name', '{tokenSet.FormFieldName}') input.setAttribute('value', '{tokenSet.RequestToken}') document.body.appendChild(input) }}else{{window.requestAnimationFrame(appendToken)}} }}}})()"; await context.Response.WriteAsync(bodyScript, Encoding.UTF8); }