Avoid re-running routing for implicit middlewares and remove implicit anti-forgery

src/Antiforgery/src/AntiforgeryApplicationBuilderExtensions.cs

@@ -3,8 +3,6 @@
 
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Antiforgery.Internal;
-using Microsoft.AspNetCore.Routing;
-using Microsoft.Extensions.DependencyInjection;
 
 namespace Microsoft.AspNetCore.Builder;
 
@@ -26,19 +24,6 @@ public static IApplicationBuilder UseAntiforgery(this IApplicationBuilder builde
         builder.VerifyAntiforgeryServicesAreRegistered();
 
         builder.Properties[AntiforgeryMiddlewareSetKey] = true;
-
-        // The anti-forgery middleware adds annotations to HttpContext.Items to indicate that it has run
-        // that will be validated by the EndpointsRoutingMiddleware later. To do this, we need to ensure
-        // that routing has run and set the endpoint feature on the HttpContext associated with the request.
-        if (builder.Properties.TryGetValue(RerouteHelper.GlobalRouteBuilderKey, out var routeBuilder) && routeBuilder is not null)
-        {
-            return builder.Use(next =>
-            {
-                var newNext = RerouteHelper.Reroute(builder, routeBuilder, next);
-                var antiforgery = builder.ApplicationServices.GetRequiredService<IAntiforgery>();
-                return new AntiforgeryMiddleware(antiforgery, newNext).Invoke;
-            });
-        }
         builder.UseMiddleware<AntiforgeryMiddleware>();
 
         return builder;

src/Antiforgery/src/Microsoft.AspNetCore.Antiforgery.csproj

@@ -26,6 +26,5 @@
 
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)HttpExtensions.cs" LinkBase="Shared"/>
-    <Compile Include="$(SharedSourceRoot)Reroute.cs" LinkBase="Shared"/>
   </ItemGroup>
 </Project>

src/DefaultBuilder/src/WebApplicationBuilder.cs

@@ -4,7 +4,6 @@
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using System.Reflection;
-using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Hosting;
@@ -25,7 +24,6 @@ public sealed class WebApplicationBuilder : IHostApplicationBuilder
     private const string EndpointRouteBuilderKey = "__EndpointRouteBuilder";
     private const string AuthenticationMiddlewareSetKey = "__AuthenticationMiddlewareSet";
     private const string AuthorizationMiddlewareSetKey = "__AuthorizationMiddlewareSet";
-    private const string AntiforgeryMiddlewareSetKey = "__AntiforgeryMiddlewareSet";
     private const string UseRoutingKey = "__UseRouting";
 
     private readonly HostApplicationBuilder _hostApplicationBuilder;
@@ -453,15 +451,6 @@ private void ConfigureApplication(WebHostBuilderContext context, IApplicationBui
             }
         }
 
-        if (serviceProviderIsService?.IsService(typeof(IAntiforgery)) is true)
-        {
-            if (!_builtApplication.Properties.ContainsKey(AntiforgeryMiddlewareSetKey))
-            {
-                _builtApplication.Properties[AntiforgeryMiddlewareSetKey] = true;
-                app.UseAntiforgery();
-            }
-        }
-
         // Wire the source pipeline to run in the destination pipeline
         var wireSourcePipeline = new WireSourcePipeline(_builtApplication);
         app.Use(wireSourcePipeline.CreateMiddleware);