Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Add logout configuration for Clear-Site-Data header #49306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 10, 2023
Merged

[Security] Add logout configuration for Clear-Site-Data header #49306

merged 1 commit into from
Mar 10, 2023

Conversation

maxbeckers
Copy link
Contributor

@maxbeckers maxbeckers commented Feb 9, 2023
edited
Loading

Q A
Branch? 6.3
Bug fix? no
New feature? yes
Deprecations? no
Tickets Fix #49266
License MIT
Doc PR symfony/symfony-docs#17900

Enhance security by issuing a Clear-Site-Data header on logout.

Default config is off.

Config example for all:

security:
    # ...
    firewalls:
        main:
            # ...
            logout:
                path: app_logout
                clear_site_data:
                    - "*"

Instead of all with the * it's also possible to add a set of cache, cookies, storage, executionContexts. For example without cookies it will look like this:

security:
    # ...
    firewalls:
        main:
            # ...
            logout:
                path: app_logout
                clear_site_data:
                    - cache
                    - storage
                    - executionContexts

TODO

@carsonbot carsonbot added this to the 6.3 milestone Feb 9, 2023
@maxbeckers maxbeckers force-pushed the patch_49266_clear_site_data branch 3 times, most recently from 1cc1494 to 9055e78 Compare February 9, 2023 07:19
@maxbeckers maxbeckers force-pushed the patch_49266_clear_site_data branch 2 times, most recently from 1a5ac23 to c20d516 Compare February 10, 2023 12:46
nicolas-grekas
nicolas-grekas reviewed Feb 10, 2023
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't miss some changes to an xsd file?

@maxbeckers maxbeckers force-pushed the patch_49266_clear_site_data branch 2 times, most recently from 1cd02eb to 95df250 Compare February 13, 2023 08:18
@maxbeckers
Copy link
Contributor Author

Thanks for your reviews @stof and @nicolas-grekas,
yes i missed the xsd file. now i've added as well some tests do verify the new settings. I hope i have now considered all the relevant points.

@maxbeckers maxbeckers mentioned this pull request Feb 13, 2023
Merged
nicolas-grekas
nicolas-grekas reviewed Feb 21, 2023
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost good to me :)

@maxbeckers maxbeckers force-pushed the patch_49266_clear_site_data branch from 95df250 to f9e76c1 Compare February 22, 2023 06:50
@fabpot
Copy link
Member

fabpot commented Mar 10, 2023

Thank you @maxbeckers.

@fabpot fabpot merged commit 5c99187 into symfony:6.3 Mar 10, 2023
@teamflp
Copy link

teamflp commented Mar 13, 2023

Awesome

@maxbeckers maxbeckers deleted the patch_49266_clear_site_data branch March 16, 2023 08:37
javiereguiluz added a commit to javiereguiluz/symfony-docs that referenced this pull request Mar 22, 2023
@javiereguiluz
minor symfony#17900 [Security] Add logout configuration for Clear-Sit…
26d61e1 
…e-Data header (maxbeckers)

This PR was merged into the 6.3 branch.

Discussion
----------

[Security] Add logout configuration for Clear-Site-Data header

This PR is related to symfony/symfony#49306.

Enhance security by issuing a Clear-Site-Data header on logout.
* [Clear-Site-Data](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data#sign_out_of_a_web_site) Documentation
* Example: https://www.w3.org/TR/clear-site-data/#example-signout

Add the documentation with code examples to the **Security Configuration Reference (SecurityBundle)**.

Commits
-------

1ab4d04 [Security] Add logout configuration for Clear-Site-Data header
@fabpot fabpot mentioned this pull request May 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof left review comments

@OskarStark OskarStark OskarStark left review comments

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@wouterj wouterj Awaiting requested review from wouterj

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Feature Ready Security Status: Reviewed
Projects
None yet
Milestone
6.3
Development

Successfully merging this pull request may close these issues.

Enhance security by issuing a Clear-Site-Data header on logout
7 participants
@maxbeckers @fabpot @teamflp @nicolas-grekas @stof @OskarStark @carsonbot