-
-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix the order of the CSRF and the private response listener #2074
Conversation
Nice find. Looks good to me. However, I think we need a comment and an extension test here to ensure the order of the listeners like we did for others that depend on the priority to prevent regressions. /edit: didn't see your todo or maybe you added it later on :D |
Added it later |
The order of all listeners is now:
As I don’t know what most of them do, I’m not sure if -99 and -98 is correct? |
Done. |
Imho the listeners should also come after |
Sure? Because it checks the |
Would it make sense to always leave gaps between the priorities? |
Without checking the code, I would assume the SubrequestCacheSubscriber merges cache headers from subrequests into the main response, so it affects all requests. |
So, how about |
Thank you @ausi. |
The problem in #2067 was the order of the CSRF and make-response-private listeners: First, the make-response-private listener kept the response public, then the CSRF listener added a cookie-header to remove the CSRF cookie. This “cookie deletion” was then stored in the HTTP cache and every subsequent access to this resource always resulted in the CSRF cookie to get removed.
I’m not sure what the “correct” priorities for them are, but I think both listeners should come very late. /cc @Toflar
ToDo