From a7bef1eb2d4bcd45a840f073975a98dbbd0f25d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Deruss=C3=A9?= Date: Mon, 27 Jul 2015 09:36:17 +0200 Subject: [PATCH] Change the default value of cookie_httponly to fix #15303 --- UPGRADE-2.8.md | 30 ++++++++++++++----- .../DependencyInjection/Configuration.php | 2 +- .../DependencyInjection/Fixtures/php/full.php | 2 +- .../DependencyInjection/Fixtures/xml/full.xml | 2 +- .../DependencyInjection/Fixtures/yml/full.yml | 2 +- .../FrameworkExtensionTest.php | 2 +- 6 files changed, 27 insertions(+), 13 deletions(-) diff --git a/UPGRADE-2.8.md b/UPGRADE-2.8.md index 966f1f4711132..0701ad8f8374e 100644 --- a/UPGRADE-2.8.md +++ b/UPGRADE-2.8.md @@ -8,32 +8,32 @@ Form option together with the `Valid` constraint instead. Contrary to "cascade_validation", "constraints" must be set on the respective child forms, not the parent form. - + Before: - + ```php $form = $this->createForm('form', $article, array('cascade_validation' => true)) ->add('author', new AuthorType()) ->getForm(); ``` - + After: - + ```php use Symfony\Component\Validator\Constraints\Valid; - + $form = $this->createForm('form', $article) ->add('author', new AuthorType(), array( 'constraints' => new Valid(), )) ->getForm(); ``` - + Alternatively, you can set the `Valid` constraint in the model itself: - + ```php use Symfony\Component\Validator\Constraints as Assert; - + class Article { /** @@ -136,3 +136,17 @@ DependencyInjection ``` + +FrameworkBundle +--------------- + + * The default value of the parameter `session`.`cookie_httponly` is now `true`. + It prevents scripting languages, such as JavaScript to access the cookie, + which help to reduce identity theft through XSS attacks. If your + application needs to access the session cookie, override this parameter: + + ```yaml + framework: + session: + cookie_httponly: false + ``` diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php index 977c0669c409c..b2ff3d7c59496 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php @@ -340,7 +340,7 @@ private function addSessionSection(ArrayNodeDefinition $rootNode) ->scalarNode('cookie_path')->end() ->scalarNode('cookie_domain')->end() ->booleanNode('cookie_secure')->end() - ->booleanNode('cookie_httponly')->end() + ->booleanNode('cookie_httponly')->defaultTrue()->end() ->scalarNode('gc_divisor')->end() ->scalarNode('gc_probability')->defaultValue(1)->end() ->scalarNode('gc_maxlifetime')->end() diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php index a035b56d70029..677d8e8c1020d 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php @@ -32,7 +32,7 @@ 'cookie_path' => '/', 'cookie_domain' => 'example.com', 'cookie_secure' => true, - 'cookie_httponly' => true, + 'cookie_httponly' => false, 'gc_maxlifetime' => 90000, 'gc_divisor' => 108, 'gc_probability' => 1, diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml index bf4537b910e8b..dfd651574e48d 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml @@ -14,7 +14,7 @@ - + text/csv diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml index 47513b1f665b5..ad0b903e8637f 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml @@ -24,7 +24,7 @@ framework: cookie_path: / cookie_domain: example.com cookie_secure: true - cookie_httponly: true + cookie_httponly: false gc_probability: 1 gc_divisor: 108 gc_maxlifetime: 90000 diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php index edace5bf7a9ad..4eeee524fbc37 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php @@ -149,7 +149,7 @@ public function testSession() $this->assertEquals('/', $options['cookie_path']); $this->assertEquals('example.com', $options['cookie_domain']); $this->assertTrue($options['cookie_secure']); - $this->assertTrue($options['cookie_httponly']); + $this->assertFalse($options['cookie_httponly']); $this->assertEquals(108, $options['gc_divisor']); $this->assertEquals(1, $options['gc_probability']); $this->assertEquals(90000, $options['gc_maxlifetime']); pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy