FormTagHelper does not apply on Razor Pages unless asp-antiforgery is explicitly set to true

[DamianEdwards]

The FormTagHelper only targets <form> elements if various attributes are present, e.g. asp-controller. The default behavior of it rendering anti-forgery token fields thus only applies when these attributes are present. When used in Razor Pages however, the normal attributes are not used (as we're posting to another page typically), so the anti-forgery fields are not rendered unless the asp-antiforgery attribute is explicitly set, which is far less than ideal.

<form method="post" class="form-horizontal" asp-antiforgery="true">
    <h4>Use a local account to log in.</h4>
    <hr />
    <div asp-validation-summary="All" class="text-danger"></div>
    ...
</form>

We want this to just work in Razor Pages, and it will be much more common there to post back to the current page, meaning no form action will need to be configured.

Shall we just make the FormTagHelper target all <form> elements by default now?

@rynowak @Eilon

[Eilon]

Let's change the FormTagHelper to target all <form> elements without restrictions on which attributes it has.

[dougbu]

The other option is to move antiforgery support into RenderAtEndOfFormTagHelper. That one already targets all <form> elements and already helps with antiforgery.

[rynowak]

@Eilon says: We think that moving this feature (asp-antiforgery) would be a bigger breaking change than just running form tag helper all of the time