RepoJournal
.NET

@dotnet

The .NET runtime, ASP.NET, and the C# tooling

Pick a date

Topics: .NET Full archive →

The Wire · Showcase

ASPNETCORE TIGHTENS AUTHORIZATION METADATA EVERYWHERE, BLAZOR DEBUGGING EXITS

By RepoJournal · Filed · About .NET

Authorization policies now work consistently across all routing paths, not just endpoint middleware, while Blazor templates drop their deprecated WebAssembly debugging hook.

Authorization metadata handling finally converges across ASP.NET Core. Until now, only AuthorizationMiddleware honored all three kinds of authorization metadata - IAuthorizeData attributes, raw AuthorizationPolicy instances, and IAuthorizationRequirementData [1] [2]. MVC's AuthorizeFilter and other decision points ignored the latter two, creating silent gaps that let unauthorized code through. This patch unifies the model so custom authorization requirements work everywhere you'd expect them to work. On the Blazor side, UseWebAssemblyDebugging ships deprecated [3], with templates no longer emitting it by default. The tooling team flagged this as unnecessary friction for modern debugging workflows. Across the iOS bindings layer, GC-safety fixes land in macios after the HandleSafety test caught hand-written methods that freed objects before native calls completed [4]. The linker work converts Runtime.Arch optimizations to trimmer feature switches instead of IL rewrites [5], letting the trimmer fold dead branches naturally rather than through custom code. Android's trimmable typemap now emits XA4212 diagnostics for custom IJavaObject types that aren't properly rooted [6], closing a gap where the Cecil scanner missed them on the NativeAOT path. MAUI's infrastructure work hardens CI-fix automation and routes AI-agent labels more precisely [7].

Action items

References

  1. [1] Support AuthorizationPolicy and IAuthorizationRequirementData metadata everywhere (#67765) dotnet/aspnetcore
  2. [2] Support AuthorizationPolicy and IAuthorizationRequirementData metadata everywhere ↗ dotnet/aspnetcore
  3. [3] [Blazor] Deprecate UseWebAssemblyDebugging and remove it from Blazor templates (#67861) dotnet/aspnetcore
  4. [4] [src] Fix GC-safety issues in a number of APIs. (#26147) dotnet/macios
  5. [5] [linker] Convert the Runtime.Arch optimization to a trimmer feature switch. Fixes #26106. ↗ dotnet/macios
  6. [6] [TrimmableTypeMap] Emit XA4212 for custom IJavaObject types on the trimmable path ↗ dotnet/android
  7. [7] Agentic-labeler: route AI-agent and platform labels correctly ↗ dotnet/maui

Quick answers

What shipped in .NET on July 18, 2026?
Authorization policies now work consistently across all routing paths, not just endpoint middleware, while Blazor templates drop their deprecated WebAssembly debugging hook. In total, 27 commits and 31 pull requests landed.
Who contributed to .NET on July 18, 2026?
8 developers shipped this update, including Javier Calvarro Nelson, Copilot, MayaKirova, ilonatommy, Rolf Bjarne Kvinge, simonrozsival, Redth, and PureWeen.
What were the notable .NET updates?
Support AuthorizationPolicy and IAuthorizationRequirementData metadata everywhere (#67765), Support AuthorizationPolicy and IAuthorizationRequirementData metadata everywhere, and [Blazor] Deprecate UseWebAssemblyDebugging and remove it from Blazor templates (#67861).

More from @dotnet

Daily updates, in your inbox

Follow .NET

The .NET runtime, ASP.NET, and the C# tooling We'll email you a link to confirm first.

Free. Confirm via email. Unsubscribe in one click.

— or follow the whole beat:

Elsewhere on the wire