Symfony version(s) affected

4.4 - 6

Description

I have some remarks regarding https://symfony.com/blog/cve-2022-24894-prevent-storing-cookie-headers-in-httpcache and its fix in d2f6322.

a) First, why remove the header but still store the response? That can cause unwanted behaviour, doesn't it? Imho what should be done is not store the response at all, if Set-Cookie (or any other configured header) is present.
b) Moreover, I think it should've been fixed in HttpCache, not in Store. It's a problem that affects all the StoreInterface implementations, doesn't it? We already have a private_headers config that's similar but based on the request and (correclty) affects the behavior of the HttpCache no matter the used StoreInterface implementation. So why not introduce a new config there for headers that should cause a response not to be cached at all? Something like uncacheable_response_headers?

But maybe there are good reasons for the fix in Store which I'm missing? As it was a security fix, there is no PR and no discussion for the public where I could've possibly read the reasons for this design decision :-)

How to reproduce

Possible Solution

No response

Additional Context

No response