[HttpFoundation] add a default Content-Language to the Response #36507
Conversation
| @@ -81,6 +81,12 @@ public function getConfigTreeBuilder() | |||
| ->scalarNode('ide')->defaultNull()->end() | |||
| ->booleanNode('test')->end() | |||
| ->scalarNode('default_locale')->defaultValue('en')->end() | |||
| ->arrayNode('available_locales') | |||
There was a problem hiding this comment.
there is enabled_locales already, can't we reuse it?
There was a problem hiding this comment.
it's in the translator section.
what if the translator is not available?
Is it still relevant to reuse it?
There was a problem hiding this comment.
My fear is that it will be confusing for users to have to configure this twice.
There was a problem hiding this comment.
I suggest to make the translator option defaulting to the value of this new parameter if not set explicitly (and to not set it explicitly in the recipe). It’s already what we do for the default local IIRC.
There was a problem hiding this comment.
or we could move the setting out of the translation subtree.
again, having twice the same setting is calling for troubles to me.
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml
Outdated
Show resolved
Hide resolved
src/Symfony/Component/HttpKernel/EventListener/LocaleListener.php
Outdated
Show resolved
Hide resolved
|
What's the purpose of this feature? HTTP negotiation is tricky, as explained on the doc of Varnish and on Cloudflare (which actively works against HTTP negotiation btw). Most apps do localization by embedding the locale into URLs. This removes all issues with HTTP negotiation. Thus the challenge I'm posting here: why? :) |
|
Hello @nicolas-grekas :)
We can agree that, as defined in RFC 2616 the content language(s) should be expressed by the Content-Language Header. Which is not the case at the moment in Symfony. It could be one or multiple languages, but let stick to a default behaviour where our content is only made of one language. Thus as corollary, we should be able to serve the data according to the Having this managed by default allows us to stick closer to the HTTP behaviour, It does not override the URL locale behaviour, which is still the best solution when using cloudflare.
I applied @dunglas solution for now but find it "hacky". |
|
Instead of copying the request on the response, which might be just wrong, what about using the locale - the one that the locale-aware services manage? |
|
I am not sure to follow your train of thought. I'll check but I have the feeling that Oh ok, Let' say this: Now I create a Was that an intended behaviour or is it missing a check upon wether it's a master request or not? I feel like this should expect to be fr https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpKernel/Tests/EventListener/LocaleAwareListenerTest.php#L56 And anyway, it's a copy from the request, of course, we should be able to serve the result the closest what has been asked. Something else to do maybe, could be to keep track of every langage used by the translator, (in addition to the classic behaviour of, "I want a language and you shall give me the most approaching result") and if it differs from what's expected, then setup the different languages used by the translator. (but in another translator related listener I suppose, and in another PR ^^). WDYT? |
|
My thought is that HTTP negotiation is risky, look eg at this patch, which fixes a CVE. I'm not sure we should default to using HTTP negotiation at all. The URL is a much better way to select the locale, both internally (the app) and for clients (browsers). |
|
Alright, I let go this PR... It's a pity. @dunglas I think we should follow the same recommendation for API-Platform then. |
|
What's the status of this PR? @nicolas-grekas? |
|
My reasoning here is that this adds complexity, has risks (cache poisoning) and very specific benefits. |
|
Closing meanwhile. |
|
Hello @nicolas-grekas :) I'd like to challenge you (and the community of course) again on this one :p This is not really a discouraged usage of HTTP. When I look at the documentation you sent, it's more of a cache sharding behaviour that is to be expected. Not a cache poisoning. I saw your accept-content revert commit, and it's not the same thing at all, it is against the specification itself, while accept-language is not. Anyway in terms of risk of DDOS attack the fact that one could theorically ping every language authorized possible does not change regardless the way of doing it. URL nor Header. All that being said, I don't see this as much as a risk for 2 reasons. It's part of the HTTP specification, and it's opt-in. Moreover, since the browsers are already set with one's prefered languages it's a win-win for everyone in my opinion. |
|
Hi @GregoireHebert 👋🏻 This subject came back in the core team recently. Since this is opt-in and already targets to restrict the locales forwarded from the request to the response, we're open to re-discuss it. Would you be up to work back on this? |
|
Yup sure, with pleasure! |
…n (GregoireHebert) This PR was merged into the 5.4 branch. Discussion ---------- [HttpKernel] Add basic support for language negotiation | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Continuation of #36507. Thanks `@GregoireHebert`! This PR adds two options to the framework configuration: - `set_locale_from_accept_language`: Makes the `Request`' locale automatically set based on the `Accept-Language` header (restricted by a new `framework.enabled_locales` config option which replaces `framework.translator.enabled_locales`). The explicit `_locale` request attribute always wins over the `Accept-Language` header when it's set. - `set_content_language_from_locale`: Sets the `Content-Language` Response header based on the `Request`' locale. This is going to be useful for API Platform and related (e.g. Sylius/Sylius#11412). Commits ------- 904b54f [HttpKernel] Add basic support for language negotiation
This PR will allow to add a default Content-Language header in the Response.
It also add a new
available_localesentry under the framework configuration.If this array is not empty, it will try to set the request locale according to the preferredLanguage (Accept-Language header), only if there isn't any
_localeattribute.Todo