diff --git a/UPGRADE-2.8.md b/UPGRADE-2.8.md
index 966f1f4711..0701ad8f83 100644
--- a/UPGRADE-2.8.md
+++ b/UPGRADE-2.8.md
@@ -8,32 +8,32 @@ Form
option together with the `Valid` constraint instead. Contrary to
"cascade_validation", "constraints" must be set on the respective child forms,
not the parent form.
-
+
Before:
-
+
```php
$form = $this->createForm('form', $article, array('cascade_validation' => true))
->add('author', new AuthorType())
->getForm();
```
-
+
After:
-
+
```php
use Symfony\Component\Validator\Constraints\Valid;
-
+
$form = $this->createForm('form', $article)
->add('author', new AuthorType(), array(
'constraints' => new Valid(),
))
->getForm();
```
-
+
Alternatively, you can set the `Valid` constraint in the model itself:
-
+
```php
use Symfony\Component\Validator\Constraints as Assert;
-
+
class Article
{
/**
@@ -136,3 +136,17 @@ DependencyInjection
```
+
+FrameworkBundle
+---------------
+
+ * The default value of the parameter `session`.`cookie_httponly` is now `true`.
+ It prevents scripting languages, such as JavaScript to access the cookie,
+ which help to reduce identity theft through XSS attacks. If your
+ application needs to access the session cookie, override this parameter:
+
+ ```yaml
+ framework:
+ session:
+ cookie_httponly: false
+ ```
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
index 977c0669c4..b2ff3d7c59 100644
--- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
+++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -340,7 +340,7 @@ class Configuration implements ConfigurationInterface
->scalarNode('cookie_path')->end()
->scalarNode('cookie_domain')->end()
->booleanNode('cookie_secure')->end()
- ->booleanNode('cookie_httponly')->end()
+ ->booleanNode('cookie_httponly')->defaultTrue()->end()
->scalarNode('gc_divisor')->end()
->scalarNode('gc_probability')->defaultValue(1)->end()
->scalarNode('gc_maxlifetime')->end()
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php
index a035b56d70..677d8e8c10 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php
@@ -32,7 +32,7 @@ $container->loadFromExtension('framework', array(
'cookie_path' => '/',
'cookie_domain' => 'example.com',
'cookie_secure' => true,
- 'cookie_httponly' => true,
+ 'cookie_httponly' => false,
'gc_maxlifetime' => 90000,
'gc_divisor' => 108,
'gc_probability' => 1,
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml
index bf4537b910..dfd651574e 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml
@@ -14,7 +14,7 @@
-
+
text/csv
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml
index 47513b1f66..ad0b903e86 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml
@@ -24,7 +24,7 @@ framework:
cookie_path: /
cookie_domain: example.com
cookie_secure: true
- cookie_httponly: true
+ cookie_httponly: false
gc_probability: 1
gc_divisor: 108
gc_maxlifetime: 90000
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
index edace5bf7a..4eeee524fb 100644
--- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
+++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
@@ -149,7 +149,7 @@ abstract class FrameworkExtensionTest extends TestCase
$this->assertEquals('/', $options['cookie_path']);
$this->assertEquals('example.com', $options['cookie_domain']);
$this->assertTrue($options['cookie_secure']);
- $this->assertTrue($options['cookie_httponly']);
+ $this->assertFalse($options['cookie_httponly']);
$this->assertEquals(108, $options['gc_divisor']);
$this->assertEquals(1, $options['gc_probability']);
$this->assertEquals(90000, $options['gc_maxlifetime']);