[Form] CSRF form field still added automatically, despite stateless CSRF #60536
Comments
|
That's precisely how this works: rendering the field allows the JS side (when enabled) to have a field to hook on. |
|
OK, I see. But wouldn't it be better to introduce a Symfony option if this field should be rendered? |
|
I don't think that's a good idea: with the current implementation, the field is also needed on the server-side, to trigger the corresponding code path. In theory, we could likely remove this need, but that's likely going to be a significant change. Also, adding an option = adding complexity. 2 reasons that make me think we shouldn't do this. |
|
OK. But what about changing the |
|
The JS side yes: this gives the name of the header/cookie to use. |
Symfony version(s) affected
7.2.6
Description
Since Symfony 7.2, CSRF protection is enabled statelessly by default, see https://github.com/symfony/recipes/blob/main/symfony/form/7.2/config/packages/csrf.yaml
(If I got that wrong, then symfony/symfony-docs#20994 would be obsolete)
However, with the default settings, I'm still getting a CSRF token field rendered, with the confusing value of
csrf-token:How to reproduce
See above
Possible Solution
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: