Fix OpenAPI server URLs for Aspire scenarios #60673
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Support resolving OpenAPI server URLs from HttpRequest * Try passing optional params everywhere
ghost
added
the
area-mvc
There was a problem hiding this comment.
PR Overview
This PR fixes the generation of OpenAPI server URLs in proxy scenarios by properly using X-Forwarded-Proto and X-Forwarded-Host headers to compute the externally accessible URLs.
- Adds new tests to validate behavior with different forwarded header values.
- Updates the OpenApiDocumentService API to accept an optional HttpRequest parameter and adjust server URL construction accordingly.
- Modifies the endpoint extension to propagate the HttpRequest to the document service.
Reviewed Changes
| File | Description |
|---|---|
| src/OpenApi/test/Microsoft.AspNetCore.OpenApi.Tests/Services/OpenApiDocumentService/OpenApiDocumentServiceTests.Servers.cs | Introduces tests validating the use of forwarded headers and expected URL generation. |
| src/OpenApi/src/Services/OpenApiDocumentService.cs | Updates method signatures and logic to use the optional HttpRequest for URL generation. |
| src/OpenApi/test/Microsoft.AspNetCore.OpenApi.Tests/Services/OpenApiDocumentServiceTestsBase.cs | Updates verification calls to pass null for the httpRequest parameter where not applicable. |
| src/OpenApi/src/Extensions/OpenApiEndpointRouteBuilderExtensions.cs | Adjusts method calls to pass the HttpRequest in order to leverage the new URL generation logic. |
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
...NetCore.OpenApi.Tests/Services/OpenApiDocumentService/OpenApiDocumentServiceTests.Servers.cs
Show resolved
Hide resolved
captainsafia
added
feature-openapi
area-minimal
This reverts commit bf991f6.
BrennanConroy
approved these changes
Mar 7, 2025
wtgodbe
added
Servicing-approved
|
Approved over email |
This was referenced Jul 21, 2025
Closed
This was referenced Oct 23, 2025
Open
intellitect-bot
pushed a commit
to IntelliTect/EssentialCSharp.Web
that referenced
this pull request
Oct 27, 2025
Updated [Microsoft.AspNetCore.Mvc.Testing](https://github.com/dotnet/aspnetcore) from 8.0.12 to 9.0.10. <details> <summary>Release notes</summary> _Sourced from [Microsoft.AspNetCore.Mvc.Testing's releases](https://github.com/dotnet/aspnetcore/releases)._ ## 9.0.10 [Release](https://github.com/dotnet/core/releases/tag/v9.0.10) ## What's Changed * Update branding to 9.0.10 by @vseanreesermsft in dotnet/aspnetcore#63510 * [9.0] Make duplicate deb/rpm packages so we can sign them with the new PMC key by @jkoritzinsky in dotnet/aspnetcore#63249 * [release/9.0] Extend Unofficial 1ES template in IdentityModel nightly tests job by @github-actions[bot] in dotnet/aspnetcore#63465 * [release/9.0] (deps): Bump src/submodules/googletest from `373af2e` to `eb2d85e` by @dependabot[bot] in dotnet/aspnetcore#63501 * [release/9.0] Quarantine ResponseBody_WriteContentLength_PassedThrough by @wtgodbe in dotnet/aspnetcore#63533 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63304 * [release/9.0] [OpenAPI] Use invariant culture for TextWriter by @martincostello in dotnet/aspnetcore#62239 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63303 * Unquarantine `RadioButtonGetsResetAfterSubmittingEnhancedForm` by @ilonatommy in dotnet/aspnetcore#63556 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63577 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#63604 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63648 * backport(9.0): Fix runtime architecture detection logic in ANCM. by @DeagleGross in dotnet/aspnetcore#63707 **Full Changelog**: dotnet/aspnetcore@v9.0.9...v9.0.10 ## 9.0.9 [Release](https://github.com/dotnet/core/releases/tag/v9.0.9) ## What's Changed * Update branding to 9.0.9 by @vseanreesermsft in dotnet/aspnetcore#63107 * [release/9.0] (deps): Bump src/submodules/googletest from `c67de11` to `373af2e` by @dependabot[bot] in dotnet/aspnetcore#63035 * [release/9.0] Dispose the certificate chain elements with the chain by @github-actions[bot] in dotnet/aspnetcore#62992 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#62702 * [release/9.0] Update Microsoft.Build versions by @wtgodbe in dotnet/aspnetcore#62505 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#62832 * [release/9.0] Update SignalR Redis tests to use internal Docker Hub mirror by @github-actions[bot] in dotnet/aspnetcore#63116 * [release/9.0] [SignalR] Don't throw for message headers in Java client by @github-actions[bot] in dotnet/aspnetcore#62783 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#63151 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63190 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63214 **Full Changelog**: dotnet/aspnetcore@v9.0.8...v9.0.9 ## 9.0.7 [Release](https://github.com/dotnet/core/releases/tag/v9.0.7) ## What's Changed * Update branding to 9.0.7 by @vseanreesermsft in dotnet/aspnetcore#62242 * [release/9.0] (deps): Bump src/submodules/googletest from `04ee1b4` to `e9092b1` by @dependabot in dotnet/aspnetcore#62199 * Fix OpenApiJsonSchema array parsing (#62051) by @BrennanConroy in dotnet/aspnetcore#62118 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#61986 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61945 * [release/9.0] Update Alpine helix references by @wtgodbe in dotnet/aspnetcore#62240 * [Backport 9.0] [IIS] Manually parse exe bitness (#61894) by @BrennanConroy in dotnet/aspnetcore#62038 * [release/9.0] Associate tagged keys with entries so replacements are not evicted by @github-actions in dotnet/aspnetcore#62248 * [release/9.0] Block test that is failing after switching to latest-chrome by @github-actions in dotnet/aspnetcore#62283 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#62281 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#62282 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#62303 **Full Changelog**: dotnet/aspnetcore@v9.0.6...v9.0.7 ## 9.0.6 ## Bug Fixes - **Forwarded Headers Middleware: Ignore X-Forwarded-Headers from Unknown Proxy** ([#61622](dotnet/aspnetcore#61622)) The Forwarded Headers Middleware now ignores `X-Forwarded-Headers` sent from unknown proxies. This change improves security by ensuring that only trusted proxies can influence forwarded header values, preventing potential spoofing or misrouting issues. ## Dependency Updates - **Bump src/submodules/googletest from `52204f7` to `04ee1b4`** ([#61762](dotnet/aspnetcore#61762)) Updates the GoogleTest submodule to a newer commit, bringing in the latest improvements and bug fixes from the upstream project. - **Update dependencies from dotnet/arcade** ([#61714](dotnet/aspnetcore#61714)) Updates internal build and infrastructure dependencies from the dotnet/arcade repository, ensuring compatibility and access to the latest build tools. - **Update dependencies from dotnet/extensions** ([#61571](dotnet/aspnetcore#61571)) Refreshes dependencies from the dotnet/extensions repository, incorporating the latest features and fixes from the extensions libraries. - **Update dependencies from dotnet/extensions** ([#61877](dotnet/aspnetcore#61877)) Further updates dependencies from dotnet/extensions, ensuring the project benefits from recent improvements and bug fixes. - **Update dependencies from dotnet/arcade** ([#61892](dotnet/aspnetcore#61892)) Additional updates to build and infrastructure dependencies from dotnet/arcade, maintaining up-to-date tooling and build processes. ## Miscellaneous - **Update branding to 9.0.6** ([#61831](dotnet/aspnetcore#61831)) Updates the project version and branding to 9.0.6, reflecting the new release and ensuring version consistency across the codebase. - **Merging internal commits for release/9.0** ([#61925](dotnet/aspnetcore#61925)) Incorporates various internal commits into the release/9.0 branch, ensuring that all relevant changes are included in this release. --- This summary is generated and may contain inaccuracies. For complete details, please review the linked pull requests. Full Changelog: [v9.0.5...v9.0.6](dotnet/aspnetcore@v9.0.5...v9.0.6) ## 9.0.5 [Release](https://github.com/dotnet/core/releases/tag/v9.0.5) ## What's Changed * Update branding to 9.0.5 by @vseanreesermsft in dotnet/aspnetcore#61284 * [release/9.0] (deps): Bump src/submodules/googletest from `24a9e94` to `52204f7` by @dependabot in dotnet/aspnetcore#61261 * [release/9.0] Upgrade to Ubuntu 22 by @github-actions in dotnet/aspnetcore#61215 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#60964 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#60902 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61355 * [release/9.0] Caching SERedis critical bugfix; defer HC metadata detection because of DI cycle by @github-actions in dotnet/aspnetcore#60916 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#61354 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#61393 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61412 * Revert "Revert "[release/9.0] Update remnants of azureedge.net"" by @wtgodbe in dotnet/aspnetcore#60353 * [release/9.0] Fix preserving messages for stateful reconnect with backplane by @github-actions in dotnet/aspnetcore#61374 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#61483 * [Identity] Fix Identity UI asset definitions by @javiercn in dotnet/aspnetcore#59100 **Full Changelog**: dotnet/aspnetcore@v9.0.4...v9.0.5 ## 9.0.4 [Release](https://github.com/dotnet/core/releases/tag/v9.0.4) ## What's Changed * Update branding to 9.0.4 by @vseanreesermsft in dotnet/aspnetcore#60785 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#60445 * [release/9.0] (deps): Bump src/submodules/googletest from `e235eb3` to `24a9e94` by @dependabot in dotnet/aspnetcore#60678 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#60356 * Fix OpenAPI server URLs for Aspire scenarios by @captainsafia in dotnet/aspnetcore#60673 * Fix self-referential schema handling in collection schemas by @captainsafia in dotnet/aspnetcore#60410 * [release/9.0] [Blazor] Fix custom elements JS assets not being included in build output by @MackinnonBuck in dotnet/aspnetcore#60858 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#60880 **Full Changelog**: dotnet/aspnetcore@v9.0.3...v9.0.4 ## 9.0.3 [Release](https://github.com/dotnet/core/releases/tag/v9.0.3) ## What's Changed * Update branding to 9.0.3 by @vseanreesermsft in dotnet/aspnetcore#60198 * [release/9.0] Fix branding by @wtgodbe in dotnet/aspnetcore#60029 * [release/9.0] Update to MacOS 15 in Helix by @github-actions in dotnet/aspnetcore#60238 * [release/9.0] Revert "Revert "Use the latest available jdk"" by @github-actions in dotnet/aspnetcore#60229 * [release/9.0] Update `HtmlAttributePropertyHelper` to correctly follow the `MetadataUpdateHandlerAttribute` contract by @github-actions in dotnet/aspnetcore#59908 * [release/9.0] Fix skip condition for java tests by @github-actions in dotnet/aspnetcore#60242 * [release/9.0] (deps): Bump src/submodules/googletest from `7d76a23` to `e235eb3` by @dependabot in dotnet/aspnetcore#60151 * [release/9.0] Readd DiagnosticSource to KestrelServerImpl by @github-actions in dotnet/aspnetcore#60202 * [release/9.0] Redis distributed cache: add HybridCache usage signal by @github-actions in dotnet/aspnetcore#59886 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#59952 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#59951 * [release/9.0] Update remnants of azureedge.net by @sebastienros in dotnet/aspnetcore#60263 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#60291 * [release/9.0] Centralize on one docker container by @wtgodbe in dotnet/aspnetcore#60298 * Revert "[release/9.0] Update remnants of azureedge.net" by @wtgodbe in dotnet/aspnetcore#60323 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#60317 **Full Changelog**: dotnet/aspnetcore@v9.0.2...v9.0.3 ## 9.0.2 [Release](https://github.com/dotnet/core/releases/tag/v9.0.2) ## What's Changed * Update branding to 9.0.2 by @vseanreesermsft in dotnet/aspnetcore#59757 * [release/9.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#59267 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#59266 * [release/9.0] Update OSX helix queue by @github-actions in dotnet/aspnetcore#59743 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#59728 * [release/9.0] (deps): Bump src/submodules/googletest from `d144031` to `7d76a23` by @dependabot in dotnet/aspnetcore#59679 * [release/9.0] Skip tests on internal queues too by @github-actions in dotnet/aspnetcore#59578 * [release/9.0] Fix loading dotnet user-jwts config by @github-actions in dotnet/aspnetcore#59473 * [release/9.0] Fix MultipartReaderStream synchronous read when using buffer offset by @github-actions in dotnet/aspnetcore#59422 * [release/9.0] Update dependencies from dotnet/xdt by @dotnet-maestro in dotnet/aspnetcore#59419 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#59611 * [release/9.0] Fix Kestrel host header mismatch handling when port in Url by @github-actions in dotnet/aspnetcore#59362 * Migrate off of Fedora 38 by @v-firzha in dotnet/aspnetcore#59613 * [release/9.0] [Blazor WASM standalone] Avoid caching `index.html` during development by @MackinnonBuck in dotnet/aspnetcore#59348 * [release/9.0] Update to Fedora 41 by @github-actions in dotnet/aspnetcore#59816 * [release/9.0] Don't throw exception for parameters with custom binding source by @github-actions in dotnet/aspnetcore#59533 * [release/9.0] Apply schema transformer to AdditionalProperties by @github-actions in dotnet/aspnetcore#59730 * [release/9.0] Harden schema reference transformer for relative references by @captainsafia in dotnet/aspnetcore#59779 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#59847 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#59848 * [release/9.0] Return 206 Partial Content on Valid Range for Static Assets by @github-actions in dotnet/aspnetcore#59325 * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#59871 **Full Changelog**: dotnet/aspnetcore@v9.0.1...v9.0.2 ## 9.0.1 [Release](https://github.com/dotnet/core/releases/tag/v9.0.1) ## What's Changed * Merging internal commits for release/9.0 by @vseanreesermsft in dotnet/aspnetcore#58900 * [release/9.0] Prevent unnecessary debugger stops for user-unhandled exceptions in Blazor apps with Just My Code enabled by @halter73 in dotnet/aspnetcore#58573 * Hot Reload agent improvements by @tmat in dotnet/aspnetcore#58333 * [release/9.0] Update dependencies from roslyn by @wtgodbe in dotnet/aspnetcore#59183 * [release/9.0] Add direct reference to System.Drawing.Common in tools by @wtgodbe in dotnet/aspnetcore#59189 * [release/9.0] Harden parsing of [Range] attribute values by @github-actions in dotnet/aspnetcore#59077 * [release/9.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#59143 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#59024 * [release/9.0] (deps): Bump src/submodules/googletest from `6dae7eb` to `d144031` by @dependabot in dotnet/aspnetcore#59032 * [release/9.0] Update dependencies from dotnet/xdt by @dotnet-maestro in dotnet/aspnetcore#58589 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#58675 * [release/9.0] Fix SignalR Java POM to include description by @github-actions in dotnet/aspnetcore#58896 * [release/9.0] Fix IIS outofprocess to remove WebSocket compression handshake by @github-actions in dotnet/aspnetcore#58931 **Full Changelog**: dotnet/aspnetcore@v9.0.0...v9.0.1 ## 9.0.0 [Release](https://github.com/dotnet/core/releases/tag/v9.0.0) ## What's Changed * Update branding to rtm by @wtgodbe in dotnet/aspnetcore#57907 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#57910 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#57922 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#57954 * [release/9.0] Fix skip condition for IIS tests by @wtgodbe in dotnet/aspnetcore#57999 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#58032 * [release/9.0] Update dependencies from dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58015 * [release/9.0] Update dependencies from dotnet/winforms by @dotnet-maestro in dotnet/aspnetcore#58033 * [release/9.0] Update dependencies from dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58048 * [automated] Merge branch 'release/9.0-rc2' => 'release/9.0' by @github-actions in dotnet/aspnetcore#57975 * [release/9.0] Update dependencies from dotnet/efcore by @dotnet-maestro in dotnet/aspnetcore#58052 * Fix up OpenAPI schema handling and support concurrent requests by @captainsafia in dotnet/aspnetcore#58024 * [release/9.0] Mark API from 9 as shipped by @wtgodbe in dotnet/aspnetcore#58060 * [release/9.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#58034 * [release/9.0] Update dependencies from dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58117 * [release/9.0] Enable TSA/Policheck by @github-actions in dotnet/aspnetcore#58123 * [release/9.0] Add explicit conversion for value-type returning handlers with filters by @github-actions in dotnet/aspnetcore#57967 * [release/9.0] Update dependencies from dotnet/xdt by @dotnet-maestro in dotnet/aspnetcore#58116 * [release/9.0] (deps): Bump src/submodules/MessagePack-CSharp from `ecc4e18` to `9511905` by @dependabot in dotnet/aspnetcore#58183 * [release/9.0] (deps): Bump src/submodules/googletest from `0953a17` to `6dae7eb` by @dependabot in dotnet/aspnetcore#58184 * [release/9.0] Change usage of "Country" to "CountryRegion" by @github-actions in dotnet/aspnetcore#58280 * Merge RC2 changes into 9.0 by @wtgodbe in dotnet/aspnetcore#58296 * [release/9.0] Remove ProviderKey from Hosting Bundle by @github-actions in dotnet/aspnetcore#58293 * [release/9.0] [Blazor] Fix template nav menu styling by @github-actions in dotnet/aspnetcore#58277 * [release/9.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#58268 * [release/9.0] Update dependencies from dotnet/winforms by @dotnet-maestro in dotnet/aspnetcore#58159 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#58158 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#58157 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58182 * [release/9.0] Update dependencies from dotnet/efcore by @dotnet-maestro in dotnet/aspnetcore#58306 * [release/9.0] Update dependencies from dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58315 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58355 * [release/9.0] Update dependencies from dotnet/xdt by @dotnet-maestro in dotnet/aspnetcore#58366 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#58344 * [release/9.0] Fix handling for inert route parameters in MVC endpoints for OpenAPI by @github-actions in dotnet/aspnetcore#58311 * [release/9.0] Update dependencies from dotnet/winforms by @dotnet-maestro in dotnet/aspnetcore#58413 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58374 * [release/9.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#58414 * [release/9.0] Fix ModelMetadata for TryParse-parameters in ApiExplorer by @captainsafia in dotnet/aspnetcore#58372 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58421 * [release/9.0] Stabilize branding by @wtgodbe in dotnet/aspnetcore#58444 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58449 * [release/9.0] [Infrastructure] Updated npm packages by @MackinnonBuck in dotnet/aspnetcore#58469 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#58462 * [release/9.0] bumping ws dependency to fix component vulnerability by @github-actions in dotnet/aspnetcore#58458 * [release/9.0] Improve dev-certs export error message by @github-actions in dotnet/aspnetcore#58471 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#58475 ... (truncated) ## 9.0.0-rc.2.24474.3 [Release](https://github.com/dotnet/core/releases/tag/v9.0.0-rc.2) ## What's Changed * [automated] Merge branch 'release/9.0-rc1' => 'release/9.0' by @github-actions in dotnet/aspnetcore#57420 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#57366 * [release/9.0] Add references to new 9.0 branches in .yml files by @wtgodbe in dotnet/aspnetcore#57463 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#57526 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#57446 * [release/9.0] Quarantine two CircuitTests by @github-actions in dotnet/aspnetcore#57606 * [automated] Merge branch 'release/9.0-rc1' => 'release/9.0' by @github-actions in dotnet/aspnetcore#57659 * [release/9.0] Fix duplicate error.type on kestrel.connection.duration by @github-actions in dotnet/aspnetcore#57581 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#57668 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#57436 * [release/9.0] Update dependencies from dotnet/winforms by @dotnet-maestro in dotnet/aspnetcore#57527 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#57686 * [release/9.0] Update dependencies from dotnet/xdt by @dotnet-maestro in dotnet/aspnetcore#57691 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#57667 * [release/9.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#57528 * [release/9.0] Update dependencies from dotnet/efcore by @dotnet-maestro in dotnet/aspnetcore#57697 * [release/9.0] [Blazor] Invoke inbound activity handlers on circuit initialization by @github-actions in dotnet/aspnetcore#57678 * Disable launching browser on Web API template by @captainsafia in dotnet/aspnetcore#57682 * [release/9.0] [Static Assets] Improve development experience by @github-actions in dotnet/aspnetcore#57764 * Include Readme.md in packages by @wtgodbe in dotnet/aspnetcore#57809 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#57759 * [release/9.0] Update dependencies from dotnet/extensions by @dotnet-maestro in dotnet/aspnetcore#57760 * [release/9.0] Update dependencies from dotnet/winforms by @dotnet-maestro in dotnet/aspnetcore#57761 * [release/9.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#57762 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#57708 * HybridCache: relocate to dotnet/extensions by @mgravell in dotnet/aspnetcore#57670 * [release/9.0] (deps): Bump src/submodules/googletest from `ff233bd` to `0953a17` by @dependabot in dotnet/aspnetcore#57643 * Http.Sys: Clean up Request parsing errors by @BrennanConroy in dotnet/aspnetcore#57531 * [release/9.0] Update dependencies from dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#57835 * [release/9.0] [Identity][Templates] Ensure placeholders don't overlap with text by @github-actions in dotnet/aspnetcore#57789 * [release/9.0] Update dependencies from dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#57858 * Fix mapping for nested schemas and [Produces] attributes in OpenAPI implementation by @captainsafia in dotnet/aspnetcore#57852 * [release/9.0] Update dependencies from dotnet/efcore, dotnet/runtime by @dotnet-maestro in dotnet/aspnetcore#57866 * [release/9.0] [Templates] Updates libraries dependencies content by @github-actions in dotnet/aspnetcore#57864 * [release/9.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#57896 * [release/9.0-rc2] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#57931 * Add registry search for upgrade policy keys by @wtgodbe in dotnet/aspnetcore#57952 * Check for sentinel value when setting HTTP/3 error code by @amcasey in dotnet/aspnetcore#57976 * [release/9.0-rc2] [Blazor] Update `WebAssembly.DevServer` to serve the `Blazor-Environment` header by @github-actions in dotnet/aspnetcore#57974 * Fix IAsyncEnumerable controller methods to allow setting headers by @BrennanConroy in dotnet/aspnetcore#57924 * Add partitioned to cookie for SignalR browser testing by @BrennanConroy in dotnet/aspnetcore#57997 **Full Changelog**: dotnet/aspnetcore@v9.0.0-rc.1.24452.1...v9.0.0-rc.2.24474.3 ## 9.0.0-rc.1.24452.1 [Release](https://github.com/dotnet/core/releases/tag/v9.0.0-rc.1) ## 9.0.0-preview.7.24406.2 [Release](https://github.com/dotnet/core/releases/tag/v9.0.0-preview.7) ## 9.0.0-preview.6.24328.4 [Release](https://github.com/dotnet/core/releases/tag/v9.0.0-preview.6) ## 9.0.0-preview.5.24306.11 [Release](https://github.com/dotnet/core/releases/tag/v9.0.0-preview.5) ## 9.0.0-preview.4.24267.6 [Release](https://github.com/dotnet/core/releases) ## 9.0.0-preview.3.24172.13 [Release](https://github.com/dotnet/core/releases/tag/v9.0.0-preview.3) ## 9.0.0-preview.2.24128.4 [Release[(https://github.com/dotnet/core/releases/tag/v9.0.0-preview.2) ## 9.0.0-preview.1.24081.5 [Release](https://github.com/dotnet/core/releases/tag/v9.0.0-preview.1) ## 8.0.21 [Release](https://github.com/dotnet/core/releases/tag/v8.0.21) ## What's Changed * Update branding to 8.0.21 by @vseanreesermsft in dotnet/aspnetcore#63509 * [release/8.0] (deps): Bump src/submodules/googletest from `373af2e` to `eb2d85e` by @dependabot[bot] in dotnet/aspnetcore#63500 * [release/8.0] Make duplicate deb/rpm packages so we can sign them with the new PMC key by @github-actions[bot] in dotnet/aspnetcore#63250 * [release/8.0] Extend Unofficial 1ES template in IdentityModel nightly tests job by @github-actions[bot] in dotnet/aspnetcore#63466 * [release/8.0] Quarantine ResponseBody_WriteContentLength_PassedThrough by @github-actions[bot] in dotnet/aspnetcore#63534 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro[bot] in dotnet/aspnetcore#63261 * [release/8.0] Use wait assert in flaky tests by @ilonatommy in dotnet/aspnetcore#63565 * [release/8.0] Update Microsoft.Build versions by @github-actions[bot] in dotnet/aspnetcore#62507 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#63603 * backport(8.0): Fix runtime architecture detection logic in ANCM by @DeagleGross in dotnet/aspnetcore#63706 **Full Changelog**: dotnet/aspnetcore@v8.0.20...v8.0.21 ## 8.0.20 [Release](https://github.com/dotnet/core/releases/tag/v8.0.20) ## What's Changed * Update branding to 8.0.20 by @vseanreesermsft in dotnet/aspnetcore#63106 * [release/8.0] (deps): Bump src/submodules/googletest from `c67de11` to `373af2e` by @dependabot[bot] in dotnet/aspnetcore#63038 * [release/8.0] Dispose the certificate chain elements with the chain by @MackinnonBuck in dotnet/aspnetcore#62994 * [release/8.0] Update SignalR Redis tests to use internal Docker Hub mirror by @github-actions[bot] in dotnet/aspnetcore#63117 * [release/8.0] [SignalR] Don't throw for message headers in Java client by @github-actions[bot] in dotnet/aspnetcore#62784 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#63152 * [release/8.0] Update dependencies from dotnet/extensions by @dotnet-maestro[bot] in dotnet/aspnetcore#63188 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro[bot] in dotnet/aspnetcore#63189 **Full Changelog**: dotnet/aspnetcore@v8.0.19...v8.0.20 ## 8.0.18 [Release](https://github.com/dotnet/core/releases/tag/v8.0.18) ## What's Changed * Update branding to 8.0.18 by @vseanreesermsft in dotnet/aspnetcore#62241 * [release/8.0] Update Alpine helix references by @github-actions in dotnet/aspnetcore#62243 * [release/8.0] (deps): Bump src/submodules/googletest from `04ee1b4` to `e9092b1` by @dependabot in dotnet/aspnetcore#62201 * [8.0] Delete src/arcade directory by @akoeplinger in dotnet/aspnetcore#61994 * [Backport 8.0] [IIS] Manually parse exe bitness (#61894) by @BrennanConroy in dotnet/aspnetcore#62037 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro in dotnet/aspnetcore#62006 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61944 * [release/8.0] Associate tagged keys with entries so replacements are not evicted by @github-actions in dotnet/aspnetcore#62247 * [release/8.0] Block test that is failing after switching to latest-chrome by @github-actions in dotnet/aspnetcore#62284 * backport(net8.0): http.sys on-demand TLS client hello retrieval by @DeagleGross in dotnet/aspnetcore#62290 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#62302 **Full Changelog**: dotnet/aspnetcore@v8.0.17...v8.0.18 ## 8.0.17 ## Bug Fixes - **Forwarded Headers Middleware: Ignore X-Forwarded-Headers from Unknown Proxy** ([#61623](dotnet/aspnetcore#61623)) The Forwarded Headers Middleware now ignores `X-Forwarded-Headers` sent from unknown proxies. This change improves security by ensuring that only trusted proxies can influence the forwarded headers, preventing potential spoofing or misrouting of requests. ## Dependency Updates - **Update dependencies from dotnet/arcade** ([#61832](dotnet/aspnetcore#61832)) This update brings in the latest changes from the dotnet/arcade repository, ensuring that ASP.NET Core benefits from recent improvements, bug fixes, and security patches in the shared build infrastructure. - **Bump src/submodules/googletest from `52204f7` to `04ee1b4`** ([#61761](dotnet/aspnetcore#61761)) The GoogleTest submodule has been updated to a newer commit, providing the latest testing features, bug fixes, and performance improvements for the project's C++ test components. ## Miscellaneous - **Update branding to 8.0.17** ([#61830](dotnet/aspnetcore#61830)) The project version branding has been updated to reflect the new 8.0.17 release, ensuring consistency across build outputs and documentation. - **Merging internal commits for release/8.0** ([#61924](dotnet/aspnetcore#61924)) This change merges various internal commits into the release/8.0 branch, incorporating minor fixes, documentation updates, and other non-user-facing improvements to keep the release branch up to date. --- This summary is generated and may contain inaccuracies. For complete details, please review the linked pull requests. **Full Changelog**: dotnet/aspnetcore@v8.0.16...v8.0.17 ## 8.0.16 [Release](https://github.com/dotnet/core/releases/tag/v8.0.16) ## What's Changed * Update branding to 8.0.16 by @vseanreesermsft in dotnet/aspnetcore#61283 * [release/8.0] (deps): Bump src/submodules/googletest from `24a9e94` to `52204f7` by @dependabot in dotnet/aspnetcore#61260 * [release/8.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#61281 * [release/8.0] Upgrade to Ubuntu 22 by @wtgodbe in dotnet/aspnetcore#61216 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#60901 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro in dotnet/aspnetcore#60926 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61404 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#61398 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#61411 * Revert "Revert "[release/8.0] Update remnants of azureedge.net"" by @wtgodbe in dotnet/aspnetcore#60352 * [release/8.0] Fix preserving messages for stateful reconnect with backplane by @BrennanConroy in dotnet/aspnetcore#61375 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro in dotnet/aspnetcore#61442 * fetch TLS client hello message from HTTP.SYS by @BrennanConroy in dotnet/aspnetcore#61494 **Full Changelog**: dotnet/aspnetcore@v8.0.15...v8.0.16 ## 8.0.15 [Release](https://github.com/dotnet/core/releases/tag/v8.0.15) ## What's Changed * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#60355 * Update branding to 8.0.15 by @vseanreesermsft in dotnet/aspnetcore#60784 * Add partitioned to cookie for SignalR browser testing by @BrennanConroy in dotnet/aspnetcore#60728 * [release/8.0] (deps): Bump src/submodules/googletest from `e235eb3` to `24a9e94` by @dependabot in dotnet/aspnetcore#60677 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#60879 **Full Changelog**: dotnet/aspnetcore@v8.0.14...v8.0.15 ## 8.0.14 [Release](https://github.com/dotnet/core/releases/tag/v8.0.14) ## What's Changed * Update branding to 8.0.14 by @vseanreesermsft in dotnet/aspnetcore#60197 * [release/8.0] (deps): Bump src/submodules/googletest from `7d76a23` to `e235eb3` by @dependabot in dotnet/aspnetcore#60150 * [release/8.0] Fix java discovery in IdentityModel pipeline by @wtgodbe in dotnet/aspnetcore#60075 * [release/8.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#60199 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro in dotnet/aspnetcore#59922 * [release/8.0] Readd DiagnosticSource to KestrelServerImpl by @github-actions in dotnet/aspnetcore#60203 * [release/8.0] Update to MacOS 15 in Helix by @github-actions in dotnet/aspnetcore#60239 * [release/8.0] Use the latest available JDK by @wtgodbe in dotnet/aspnetcore#60233 * [release/8.0] Fix skip condition for java tests by @github-actions in dotnet/aspnetcore#60243 * [release/8.0] Update list of helix queues to skip by @wtgodbe in dotnet/aspnetcore#60231 * [release/8.0] [Blazor] Allow cascading value subscribers to get added and removed during change notification by @github-actions in dotnet/aspnetcore#57288 * [release/8.0] Update remnants of azureedge.net by @sebastienros in dotnet/aspnetcore#60264 * [release/8.0] Centralize on one docker container by @wtgodbe in dotnet/aspnetcore#60299 * Revert "[release/8.0] Update remnants of azureedge.net" by @wtgodbe in dotnet/aspnetcore#60324 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#60316 **Full Changelog**: dotnet/aspnetcore@v8.0.13...v8.0.14 ## 8.0.13 [Release](https://github.com/dotnet/core/releases/tag/v8.0.13) ## What's Changed * [release/8.0] Update dotnetbuilds CDN to new endpoint by @mmitche in dotnet/aspnetcore#59575 * Update branding to 8.0.13 by @vseanreesermsft in dotnet/aspnetcore#59756 * [release/8.0] Skip MVC template tests on HelixQueueArmDebian12 by @wtgodbe in dotnet/aspnetcore#59295 * [release/8.0] Update OSX helix queue by @github-actions in dotnet/aspnetcore#59742 * [release/8.0] (deps): Bump src/submodules/googletest from `d144031` to `7d76a23` by @dependabot in dotnet/aspnetcore#59678 * [release/8.0] Skip tests on internal queues too by @github-actions in dotnet/aspnetcore#59579 * [release/8.0] Fix Kestrel host header mismatch handling when port in Url by @BrennanConroy in dotnet/aspnetcore#59403 * Migrate off of Debian 11 by @v-firzha in dotnet/aspnetcore#59584 * [release/8.0] Pin to S.T.J 8.0.5 in Analyzers by @wtgodbe in dotnet/aspnetcore#59777 * [release/8.0] [Blazor WASM standalone] Avoid caching `index.html` during development by @github-actions in dotnet/aspnetcore#59349 * Update to Fedora 41 by @BrennanConroy in dotnet/aspnetcore#59817 * [release/8.0] Update dependencies from dotnet/source-build-externals by @dotnet-maestro in dotnet/aspnetcore#59811 * [release/8.0] Update dependencies from dotnet/source-build-reference-packages by @dotnet-maestro in dotnet/aspnetcore#59825 * [release/8.0] Update dependencies from dotnet/arcade by @dotnet-maestro in dotnet/aspnetcore#59864 * [release/8.0] Fix/update docker tags by @wtgodbe in dotnet/aspnetcore#59867 * Merging internal commits for release/8.0 by @vseanreesermsft in dotnet/aspnetcore#59872 **Full Changelog**: dotnet/aspnetcore@v8.0.12...v8.0.13 Commits viewable in [compare view](dotnet/aspnetcore@v8.0.12...v9.0.10). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Oct 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR supports respecting he X-Forwarded-Proto and X-Forwarded-Host headers when generating server URLs in OpenAPI documents. When these headers are present in the request, the OpenAPI document service will use them to generate the correct server URLs instead of using the original host and scheme values derived from the service configuration.
This is particularly useful in environments where the API is behind a proxy, load balancer, or gateway, allowing the generated OpenAPI document to correctly reference the public-facing URL rather than the internal service URL.
Fixes #57332
Customer Impact
Without this change, documents served behind reverse proxies or forwarded endpoints do not reflect the correct service URl, particularly impact for the ASP.NET Core + Aspire scenario. While the issue is easy to workaround, we want a smoother experience with Aspire out-of-the-box.
Regression?
Risk
Low-risk, becase change as it only affects the generation of server URLs in OpenAPI documents and does not impact the actual API functionality.
Verification
Packaging changes reviewed?