Force auto-generated CSRF token id #6724
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Nicolas, thanks a lot for the fix and the detailed explanation 🙏 I'm a bit lost with the recent CSRF changes, so your help here is much appreciated 🙇 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
EA is currently sensitive to the form.csrf_token_id config option. When using the new recipe for CSRF shipped with 7.2, this config option is set to "submit", which leads to using the stateless CSRF protection. But because EA doesn't load the JS snippet that goes with this protection, the admin area is broken for such apps: CSRF validation fails.
This change decouples EA from the config option and forces Symfony to auto-generate the CSRF token id, which leads to using the statefull CSRF protection. Using the session in the admin area is normal, so that's totally fine.
An alternative would be to load the app's importmap in EA pages.
This could be nice as it would make easier to add custom JS to admin pages, but it would be a bit more involving, and a bit unrelated.