Description

Currently the csrf token generation is generate in the FormType itself on the PHP side here.

In this case the CSRF Token will be generated and the session is accessed which will automatically make the request private by the AUTO_CACHE_CONTROL, as I think the auto cache control is a great feature and avoids that secured data is returned. In case for CSRF token it makes the things a little bit harder. In Symfony versions before the auto cache control I could override the CSRF Token rendering and use ESI to load the csrf token. This did look like the following in our implementation in the form theme:

{%- block csrf_token_widget %}
    {{ render_esi(controller('Sulu\\Bundle\\FormBundle\\Controller\\FormTokenController::tokenAction', {
        'form': form.parent.vars.name,
        'html': true
    }}
{%- endblock csrf_token_widget -%}

The controller did look like the following this:

I would like to implement a csrf_token_mode which can set to lazy where the csrf token will be rendered in the form theme, maybe over esi or hinclude. In cases of some website this way the csrf token could also be loaded after the user has begin to type in something and for all other users no csrf token is generated.