Skip to content

[Security] Decouple CSRF component from security-core #42148

@javiereguiluz

Description

@javiereguiluz

symfony/security-csrf is installable as a stand-alone package. However, it requires security-core:

"require": {
"php": ">=7.2.5",
"symfony/security-core": "^4.4|^5.0|^6.0"
},

I use CSRF in some forms not related to Security, so I want CSRF but I don't want the entire Security package. Why is this important to me?

Because symfony/security-csrf is a tiny 18-file and 0.06 MB on disk package, whereas symfony/security-core is a big 258-file and 1.1 MB on disk package.

Moreover, although CSRF requires the entire Security package, it only uses two tiny exception classes from it:

Here:

use Symfony\Component\Security\Core\Exception\InvalidArgumentException;

And here:

use Symfony\Component\Security\Core\Exception\RuntimeException;

So maybe we can decouple these packages? Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    RFCRFC = Request For Comments (proposals about features that you want to be discussed)SecurityStalled

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions