pub async fn update(
__arg0: State<Container>,
session: Option<Session>,
__arg2: Json<UpdateRequest>,
) -> Result<Response, Error>Expand description
POST /_spark/update — decode each component’s snapshot, apply property writes,
dispatch the requested method, and return refreshed HTML + new snapshots.
CSRF model:
- If the session layer is installed (typical), the
_tokenfield on the request body must match the session-bound CSRF token. Cross-origin POSTs that replay a leaked snapshot get HTTP 419 + a page reload. - If no session layer is present, the check is skipped — matching the
pass-through behavior of
anvil_core::middleware::builtin::csrfso apps that don’t enable sessions aren’t forced to think about CSRF.