Contrib.social

\Drupal\Core\Access\RouteProcessorCsrf does not add the correct cache context when generating non html responses

Open on Drupal.org →
Created on 4 June 2025, 28 days ago

Problem/Motivation

If the current request is not an html request we generate url with a non placeholdered URL but unlike when we use a placeholder we do not add the correct cache context to URL.

      if (!$bubbleable_metadata || $this->requestStack->getCurrentRequest()->getRequestFormat() !== 'html') {
        $parameters['token'] = $this->csrfToken->get($path);
      }
      else {

Steps to reproduce

Proposed resolution

Do

      if (!$bubbleable_metadata || $this->requestStack->getCurrentRequest()->getRequestFormat() !== 'html') {
        $parameters['token'] = $this->csrfToken->get($path);
        $bubbleable_metadata?->addCacheContexts(['session']);
      }
      else {

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

🐛 Bug report
Status

Active

Version

11.0 🔥

Component

base system

Created by

🇬🇧United Kingdom alexpott 🇪🇺🌍

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @alexpott
  • Comment 26 days ago
    🇮🇳India annmarysruthy
  • Merge request !12321Issue #3528434: \Drupal\Core\Access\RouteProcessorCsrf does not add the... → (Open) created by annmarysruthy
  • Pipeline finished with Failed
    26 days ago
    Total: 262s
    #515862
  • Pipeline finished with Failed
    26 days ago
    Total: 882s
    #515878
  • Comment 26 days ago
    🇮🇳India annmarysruthy
  • Comment 26 days ago
    🇬🇧United Kingdom alexpott 🇪🇺🌍

    Neat so we've now found that this is causing cache problems. The fail in core/modules/views/tests/src/Functional/Rest/ViewJsonBasicAuthTest.php is a real use-case failure. The header for the response contains links like:

        5 => '<http://drupal8alt.test/admin/structure/views/view/test_rest/enable?token=EX9ReP8nZc2j3HZ7giS1uTBhTdjB7c7B5lL-N5dOLwU>; rel="https://drupal.org/link-relations/enable"',
    6 => '<http://drupal8alt.test/admin/structure/views/view/test_rest/disable?token=TN1doQ-RJc-1-Q_KCviUdFSolzuAwIVLCfxW5Xvhh4o>; rel="https://drupal.org/link-relations/disable"',

    These links are only valid for the user who made the requests session so we should be caching the response. There is a decent question about whether we should have the disable and enable links in the header but if they are there and using CSRF protection then the cache contexts need to be correct.

    We need to fix the expected cache context for all the tests listed here: https://git.drupalcode.org/issue/drupal-3528434/-/pipelines/515881/test_...

    I suspect these are all the disable-able config entities - not sure where we adding the link relationship atm...

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024