Change the default value of cookie_httponly to fix #15303
This commit is contained in:
parent
96e211d2da
commit
a7bef1eb2d
|
@ -8,32 +8,32 @@ Form
|
||||||
option together with the `Valid` constraint instead. Contrary to
|
option together with the `Valid` constraint instead. Contrary to
|
||||||
"cascade_validation", "constraints" must be set on the respective child forms,
|
"cascade_validation", "constraints" must be set on the respective child forms,
|
||||||
not the parent form.
|
not the parent form.
|
||||||
|
|
||||||
Before:
|
Before:
|
||||||
|
|
||||||
```php
|
```php
|
||||||
$form = $this->createForm('form', $article, array('cascade_validation' => true))
|
$form = $this->createForm('form', $article, array('cascade_validation' => true))
|
||||||
->add('author', new AuthorType())
|
->add('author', new AuthorType())
|
||||||
->getForm();
|
->getForm();
|
||||||
```
|
```
|
||||||
|
|
||||||
After:
|
After:
|
||||||
|
|
||||||
```php
|
```php
|
||||||
use Symfony\Component\Validator\Constraints\Valid;
|
use Symfony\Component\Validator\Constraints\Valid;
|
||||||
|
|
||||||
$form = $this->createForm('form', $article)
|
$form = $this->createForm('form', $article)
|
||||||
->add('author', new AuthorType(), array(
|
->add('author', new AuthorType(), array(
|
||||||
'constraints' => new Valid(),
|
'constraints' => new Valid(),
|
||||||
))
|
))
|
||||||
->getForm();
|
->getForm();
|
||||||
```
|
```
|
||||||
|
|
||||||
Alternatively, you can set the `Valid` constraint in the model itself:
|
Alternatively, you can set the `Valid` constraint in the model itself:
|
||||||
|
|
||||||
```php
|
```php
|
||||||
use Symfony\Component\Validator\Constraints as Assert;
|
use Symfony\Component\Validator\Constraints as Assert;
|
||||||
|
|
||||||
class Article
|
class Article
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
|
@ -136,3 +136,17 @@ DependencyInjection
|
||||||
<service id="foo" class="stdClass" shared="false" />
|
<service id="foo" class="stdClass" shared="false" />
|
||||||
</services>
|
</services>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
FrameworkBundle
|
||||||
|
---------------
|
||||||
|
|
||||||
|
* The default value of the parameter `session`.`cookie_httponly` is now `true`.
|
||||||
|
It prevents scripting languages, such as JavaScript to access the cookie,
|
||||||
|
which help to reduce identity theft through XSS attacks. If your
|
||||||
|
application needs to access the session cookie, override this parameter:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
framework:
|
||||||
|
session:
|
||||||
|
cookie_httponly: false
|
||||||
|
```
|
||||||
|
|
|
@ -340,7 +340,7 @@ class Configuration implements ConfigurationInterface
|
||||||
->scalarNode('cookie_path')->end()
|
->scalarNode('cookie_path')->end()
|
||||||
->scalarNode('cookie_domain')->end()
|
->scalarNode('cookie_domain')->end()
|
||||||
->booleanNode('cookie_secure')->end()
|
->booleanNode('cookie_secure')->end()
|
||||||
->booleanNode('cookie_httponly')->end()
|
->booleanNode('cookie_httponly')->defaultTrue()->end()
|
||||||
->scalarNode('gc_divisor')->end()
|
->scalarNode('gc_divisor')->end()
|
||||||
->scalarNode('gc_probability')->defaultValue(1)->end()
|
->scalarNode('gc_probability')->defaultValue(1)->end()
|
||||||
->scalarNode('gc_maxlifetime')->end()
|
->scalarNode('gc_maxlifetime')->end()
|
||||||
|
|
|
@ -32,7 +32,7 @@ $container->loadFromExtension('framework', array(
|
||||||
'cookie_path' => '/',
|
'cookie_path' => '/',
|
||||||
'cookie_domain' => 'example.com',
|
'cookie_domain' => 'example.com',
|
||||||
'cookie_secure' => true,
|
'cookie_secure' => true,
|
||||||
'cookie_httponly' => true,
|
'cookie_httponly' => false,
|
||||||
'gc_maxlifetime' => 90000,
|
'gc_maxlifetime' => 90000,
|
||||||
'gc_divisor' => 108,
|
'gc_divisor' => 108,
|
||||||
'gc_probability' => 1,
|
'gc_probability' => 1,
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
<framework:esi enabled="true" />
|
<framework:esi enabled="true" />
|
||||||
<framework:profiler only-exceptions="true" enabled="false" />
|
<framework:profiler only-exceptions="true" enabled="false" />
|
||||||
<framework:router resource="%kernel.root_dir%/config/routing.xml" type="xml" />
|
<framework:router resource="%kernel.root_dir%/config/routing.xml" type="xml" />
|
||||||
<framework:session gc-maxlifetime="90000" gc-probability="1" gc-divisor="108" storage-id="session.storage.native" handler-id="session.handler.native_file" name="_SYMFONY" cookie-lifetime="86400" cookie-path="/" cookie-domain="example.com" cookie-secure="true" cookie-httponly="true" save-path="/path/to/sessions" />
|
<framework:session gc-maxlifetime="90000" gc-probability="1" gc-divisor="108" storage-id="session.storage.native" handler-id="session.handler.native_file" name="_SYMFONY" cookie-lifetime="86400" cookie-path="/" cookie-domain="example.com" cookie-secure="true" cookie-httponly="false" save-path="/path/to/sessions" />
|
||||||
<framework:request>
|
<framework:request>
|
||||||
<framework:format name="csv">
|
<framework:format name="csv">
|
||||||
<framework:mime-type>text/csv</framework:mime-type>
|
<framework:mime-type>text/csv</framework:mime-type>
|
||||||
|
|
|
@ -24,7 +24,7 @@ framework:
|
||||||
cookie_path: /
|
cookie_path: /
|
||||||
cookie_domain: example.com
|
cookie_domain: example.com
|
||||||
cookie_secure: true
|
cookie_secure: true
|
||||||
cookie_httponly: true
|
cookie_httponly: false
|
||||||
gc_probability: 1
|
gc_probability: 1
|
||||||
gc_divisor: 108
|
gc_divisor: 108
|
||||||
gc_maxlifetime: 90000
|
gc_maxlifetime: 90000
|
||||||
|
|
|
@ -149,7 +149,7 @@ abstract class FrameworkExtensionTest extends TestCase
|
||||||
$this->assertEquals('/', $options['cookie_path']);
|
$this->assertEquals('/', $options['cookie_path']);
|
||||||
$this->assertEquals('example.com', $options['cookie_domain']);
|
$this->assertEquals('example.com', $options['cookie_domain']);
|
||||||
$this->assertTrue($options['cookie_secure']);
|
$this->assertTrue($options['cookie_secure']);
|
||||||
$this->assertTrue($options['cookie_httponly']);
|
$this->assertFalse($options['cookie_httponly']);
|
||||||
$this->assertEquals(108, $options['gc_divisor']);
|
$this->assertEquals(108, $options['gc_divisor']);
|
||||||
$this->assertEquals(1, $options['gc_probability']);
|
$this->assertEquals(1, $options['gc_probability']);
|
||||||
$this->assertEquals(90000, $options['gc_maxlifetime']);
|
$this->assertEquals(90000, $options['gc_maxlifetime']);
|
||||||
|
|
Reference in New Issue