Change the default value of cookie_httponly to fix #15303

2015-07-27 09:36:17 +02:00 · 2015-07-27 09:36:17 +02:00 · a7bef1eb2d
parent 96e211d2da
commit a7bef1eb2d
6 changed files with 27 additions and 13 deletions
--- a/UPGRADE-2.8.md
+++ b/UPGRADE-2.8.md
@ -8,32 +8,32 @@ Form
   option together with the `Valid` constraint instead. Contrary to
   "cascade_validation", "constraints" must be set on the respective child forms,
   not the parent form.
-   
+
   Before:
-   
+
   ```php
   $form = $this->createForm('form', $article, array('cascade_validation' => true))
       ->add('author', new AuthorType())
       ->getForm();
   ```
-   
+
   After:
-   
+
   ```php
   use Symfony\Component\Validator\Constraints\Valid;
-   
+
   $form = $this->createForm('form', $article)
       ->add('author', new AuthorType(), array(
           'constraints' => new Valid(),
       ))
       ->getForm();
   ```
-   
+
   Alternatively, you can set the `Valid` constraint in the model itself:
-   
+
   ```php
   use Symfony\Component\Validator\Constraints as Assert;
-   
+
   class Article
   {
       /**
@ -136,3 +136,17 @@ DependencyInjection
       <service id="foo" class="stdClass" shared="false" />
   </services>
   ```
+
+FrameworkBundle
+---------------
+
+ * The default value of the parameter `session`.`cookie_httponly` is now `true`.
+   It prevents scripting languages, such as JavaScript to access the cookie,
+   which help to reduce identity theft through XSS attacks. If your
+   application needs to access the session cookie, override this parameter:
+
+   ```yaml
+   framework:
+       session:
+           cookie_httponly: false
+   ```
--- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
+++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@ -340,7 +340,7 @@ class Configuration implements ConfigurationInterface
                        ->scalarNode('cookie_path')->end()
                        ->scalarNode('cookie_domain')->end()
                        ->booleanNode('cookie_secure')->end()
-                        ->booleanNode('cookie_httponly')->end()
+                        ->booleanNode('cookie_httponly')->defaultTrue()->end()
                        ->scalarNode('gc_divisor')->end()
                        ->scalarNode('gc_probability')->defaultValue(1)->end()
                        ->scalarNode('gc_maxlifetime')->end()
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php
@ -32,7 +32,7 @@ $container->loadFromExtension('framework', array(
        'cookie_path' => '/',
        'cookie_domain' => 'example.com',
        'cookie_secure' => true,
-        'cookie_httponly' => true,
+        'cookie_httponly' => false,
        'gc_maxlifetime' => 90000,
        'gc_divisor' => 108,
        'gc_probability' => 1,
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml
@ -14,7 +14,7 @@
        <framework:esi enabled="true" />
        <framework:profiler only-exceptions="true" enabled="false" />
        <framework:router resource="%kernel.root_dir%/config/routing.xml" type="xml" />
-        <framework:session gc-maxlifetime="90000" gc-probability="1" gc-divisor="108" storage-id="session.storage.native" handler-id="session.handler.native_file" name="_SYMFONY" cookie-lifetime="86400" cookie-path="/" cookie-domain="example.com" cookie-secure="true" cookie-httponly="true" save-path="/path/to/sessions" />
+        <framework:session gc-maxlifetime="90000" gc-probability="1" gc-divisor="108" storage-id="session.storage.native" handler-id="session.handler.native_file" name="_SYMFONY" cookie-lifetime="86400" cookie-path="/" cookie-domain="example.com" cookie-secure="true" cookie-httponly="false" save-path="/path/to/sessions" />
        <framework:request>
            <framework:format name="csv">
                <framework:mime-type>text/csv</framework:mime-type>
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml
@ -24,7 +24,7 @@ framework:
        cookie_path:      /
        cookie_domain:    example.com
        cookie_secure:    true
-        cookie_httponly:  true
+        cookie_httponly:  false
        gc_probability:  1
        gc_divisor:      108
        gc_maxlifetime:  90000
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
@ -149,7 +149,7 @@ abstract class FrameworkExtensionTest extends TestCase
        $this->assertEquals('/', $options['cookie_path']);
        $this->assertEquals('example.com', $options['cookie_domain']);
        $this->assertTrue($options['cookie_secure']);
-        $this->assertTrue($options['cookie_httponly']);
+        $this->assertFalse($options['cookie_httponly']);
        $this->assertEquals(108, $options['gc_divisor']);
        $this->assertEquals(1, $options['gc_probability']);
        $this->assertEquals(90000, $options['gc_maxlifetime']);