Skip to content

/ symfony

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Decouple CSRF component from security-core #42148

Open
javiereguiluz opened this issue Jul 16, 2021 · 2 comments
Open

[Security] Decouple CSRF component from security-core #42148

javiereguiluz opened this issue Jul 16, 2021 · 2 comments
Labels
RFC Security
Milestone
5.4

Comments

@javiereguiluz
Copy link
Member

@javiereguiluz javiereguiluz commented Jul 16, 2021

symfony/security-csrf is installable as a stand-alone package. However, it requires security-core:

symfony/src/Symfony/Component/Security/Csrf/composer.json

Lines 18 to 21 in 27aceb6

"require": {
"php": ">=7.2.5",
"symfony/security-core": "^4.4|^5.0|^6.0"
},

I use CSRF in some forms not related to Security, so I want CSRF but I don't want the entire Security package. Why is this important to me?

Because symfony/security-csrf is a tiny 18-file and 0.06 MB on disk package, whereas symfony/security-core is a big 258-file and 1.1 MB on disk package.

Moreover, although CSRF requires the entire Security package, it only uses two tiny exception classes from it:

Here:

symfony/src/Symfony/Component/Security/Csrf/CsrfTokenManager.php

Line 15 in 27aceb6

use Symfony\Component\Security\Core\Exception\InvalidArgumentException;

And here:

symfony/src/Symfony/Component/Security/Csrf/Exception/TokenNotFoundException.php

Line 14 in 27aceb6

use Symfony\Component\Security\Core\Exception\RuntimeException;

So maybe we can decouple these packages? Thanks!
@javiereguiluz javiereguiluz added this to the 5.4 milestone Jul 16, 2021
@wouterj
Copy link
Member

@wouterj wouterj commented Jul 16, 2021

See #36423 The conclusion was: "Ok, let's close this PR then and revisit the issue when we will work on 5.4." So you've timed it perfectly! 😉

There are 2 things to discuss here:

  1. Is CSRF still relevant (see #34004 (comment)) for today's Symfony applications, or should we rather deprecate the whole component?

  2. There is a BC break when removing the extend from the component. I'm not aware of a way to trigger a deprecation for catching the wrong class: is there a way to accomplish this? If no, is this worth not making the change?
@wouterj wouterj added the RFC label Jul 16, 2021
@chalasr
Copy link
Member

@chalasr chalasr commented Jul 19, 2021

As discussed privately, we cannot deprecate the security-csrf component now because supporting IE11 still matters and SameSite cookies aren't supported there. But the long-term goal is to remove the component.

About the original issue, considering the goal mentioned above, I don't think it's worth breaking BC personally.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
RFC Security
Projects
None yet
Milestone
5.4
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@javiereguiluz @wouterj @chalasr