feat: make CSRF protection stable

[ematipico]

Changes

This PR makes CSRF protection stable. As for now, we decided to not implement a cookie strategy because it requires a strategy that isn't very Astro-y.

The configuration has been changed, and it was make less deep:

export default defineConfig({
-  experimental: {
-    security: {
-      csrfProtection: {
-        origin: true
-      }
-    }
-  },
+  security: {
+    checkOrigin: true
+  }
})

Testing

The current tests should pass.

Docs

/cc @withastro/maintainers-docs for feedback!

[changeset-bot]

🦋 Changeset detected

Latest commit: d6402dd

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

This PR is blocked because it contains a minor changeset. A reviewer will merge this at the next release if approved.

[matthewp]

In addition to unflagging the RFC should be updated to account for the fact that we're not going to be doing the cookie check for now. You could either remove that section or move it to the alternative ideas section: withastro/roadmap#879

[sarah11918]

Just a quick thought here for the docs, @ematipico !

Also, wondering whether we might want to link here from any other docs pages like our "Authentication" guide as a "thing to consider enabling".

Is there any reason why someone might have authentication on their Astro site and NOT want this set?

[matthewp]

Blocked pending the call for consensus passing.

[sarah11918]

Other than a more detailed changeset for this unflagged feature, just a couple of quick suggestions for the actual docs to take a look at! (Note, one earlier comment was updated based on feedback).

[ematipico]

Just a quick thought here for the docs, @ematipico !

Also, wondering whether we might want to link here from any other docs pages like our "Authentication" guide as a "thing to consider enabling".

Is there any reason why someone might have authentication on their Astro site and NOT want this set?

If users are using SSR and plan to expose some endpoints that should be reachable from external domains (e.g. posting a form), then they should not enable this feature, otherwise all requests coming from external domains will be blocked.

[sarah11918]

This looks great! A few minor tweaks, and checking closely, I think we need to move up the JSDoc content to the "Top-level Options" section.

Otherwise, ready to go!

[sarah11918]

I think this should be moved much higher up in the file? It loos like this will now appear under "Legacy Flags" in the sidebar.

This is a top-level option, right? So it should probably move up maybe between scopedStyleStrategy and vite? These aren't in alphabetical order, but manually by common usage first, and then whenever just seems right. I think just above vite makes sense, but open to suggestions if you don't like that!

[ematipico]

Done!

[sarah11918]

Great! I left two tiny fixes in comments, but I am happy to consider this good to go! 🥳

Merge day

[github-actions]

This PR is blocked because it contains a minor changeset. A reviewer will merge this at the next release if approved.