Skip to content

[Security] Decouple CSRF component from security-core #42148

New issue
New issue
Closed
Closed
[Security] Decouple CSRF component from security-core#42148
Labels
RFCRFC = Request For Comments (proposals about features that you want to be discussed)SecurityStalled
Milestone
5.4
@javiereguiluz

Description

@javiereguiluz
javiereguiluz
opened on Jul 16, 2021

symfony/security-csrf is installable as a stand-alone package. However, it requires security-core:

symfony/src/Symfony/Component/Security/Csrf/composer.json

Lines 18 to 21 in 27aceb6

"require": {
"php": ">=7.2.5",
"symfony/security-core": "^4.4|^5.0|^6.0"
},

I use CSRF in some forms not related to Security, so I want CSRF but I don't want the entire Security package. Why is this important to me?

Because symfony/security-csrf is a tiny 18-file and 0.06 MB on disk package, whereas symfony/security-core is a big 258-file and 1.1 MB on disk package.

Moreover, although CSRF requires the entire Security package, it only uses two tiny exception classes from it:

Here:

symfony/src/Symfony/Component/Security/Csrf/CsrfTokenManager.php

Line 15 in 27aceb6

use Symfony\Component\Security\Core\Exception\InvalidArgumentException;

And here:

symfony/src/Symfony/Component/Security/Csrf/Exception/TokenNotFoundException.php

Line 14 in 27aceb6

use Symfony\Component\Security\Core\Exception\RuntimeException;

So maybe we can decouple these packages? Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    RFCRFC = Request For Comments (proposals about features that you want to be discussed)SecurityStalled

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions