symfony
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
Lines changed: 6 additions & 0 deletions b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/form_csrf.php
Lines changed: 11 additions & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/form_csrf.php
Lines changed: 11 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php
Lines changed: 13 additions & 1 deletion b/‎src/Symfony/Component/Form/Extension/Csrf/Type/FormTypeCsrfExtension.php
Lines changed: 13 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Csrf/CHANGELOG.md
Lines changed: 5 additions & 0 deletions b/‎src/Symfony/Component/Security/Csrf/CHANGELOG.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Csrf/DoubleSubmitCsrfTokenManager.php
Lines changed: 188 additions & 0 deletions b/‎src/Symfony/Component/Security/Csrf/DoubleSubmitCsrfTokenManager.php
Lines changed: 188 additions & 0 deletions
@@ -237,6 +237,7 @@ private function addFormSection(ArrayNodeDefinition $rootNode, callable $enableI
                             ->children()
                                 ->booleanNode('enabled')->defaultNull()->end() // defaults to framework.csrf_protection.enabled
                                 ->scalarNode('field_name')->defaultValue('_token')->end()
+                                ->scalarNode('header_name')->defaultValue('x-csrf-token')->end()
                             ->end()
                         ->end()
                     ->end()
 
@@ -149,6 +149,7 @@
 use Symfony\Component\Security\Core\AuthenticationEvents;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Component\Security\Csrf\DoubleSubmitCsrfTokenManager;
 use Symfony\Component\Semaphore\PersistingStoreInterface as SemaphoreStoreInterface;
 use Symfony\Component\Semaphore\Semaphore;
 use Symfony\Component\Semaphore\SemaphoreFactory;
@@ -763,6 +764,11 @@ private function registerFormConfiguration(array $config, ContainerBuilder $cont
 
             $container->setParameter('form.type_extension.csrf.enabled', true);
             $container->setParameter('form.type_extension.csrf.field_name', $config['form']['csrf_protection']['field_name']);
+            $container->setParameter('form.type_extension.csrf.header_name', $config['form']['csrf_protection']['header_name']);
+
+            if (!$config['form']['csrf_protection']['header_name'] || !class_exists(DoubleSubmitCsrfTokenManager::class)) {
+                $container->setAlias('form.type_extension.csrf.token_manager', 'security.csrf.token_manager');
+            }
         } else {
             $container->setParameter('form.type_extension.csrf.enabled', false);
         }
 
@@ -12,18 +12,28 @@
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
 use Symfony\Component\Form\Extension\Csrf\Type\FormTypeCsrfExtension;
+use Symfony\Component\Security\Csrf\DoubleSubmitCsrfTokenManager;
 
 return static function (ContainerConfigurator $container) {
     $container->services()
         ->set('form.type_extension.csrf', FormTypeCsrfExtension::class)
             ->args([
-                service('security.csrf.token_manager'),
+                service('form.type_extension.csrf.token_manager'),
                 param('form.type_extension.csrf.enabled'),
                 param('form.type_extension.csrf.field_name'),
                 service('translator')->nullOnInvalid(),
                 param('validator.translation_domain'),
                 service('form.server_params'),
             ])
             ->tag('form.type_extension')
+
+        ->set('form.type_extension.csrf.token_manager', DoubleSubmitCsrfTokenManager::class)
+            ->args([
+                service('request_stack'),
+                service('logger')->nullOnInvalid(),
+                param('form.type_extension.csrf.header_name'),
+            ])
+            ->tag('monolog.logger', ['channel' => 'request'])
+            ->tag('kernel.event_listener', ['event' => 'kernel.response', 'method' => 'onKernelResponse'])
     ;
 };
@@ -73,7 +73,9 @@ public function finishView(FormView $view, FormInterface $form, array $options):
             $csrfForm = $factory->createNamed($options['csrf_field_name'], HiddenType::class, $data, [
                 'block_prefix' => 'csrf_token',
                 'mapped' => false,
-            ]);
+            ] + (
+                $options['csrf_data_attr'] ? ['attr' => ['data-'.$options['csrf_data_attr'] => '']] : []
+            ));
 
             $view->children[$options['csrf_field_name']] = $csrfForm->createView($view);
         }
@@ -84,10 +86,20 @@ public function configureOptions(OptionsResolver $resolver): void
         $resolver->setDefaults([
             'csrf_protection' => $this->defaultEnabled,
             'csrf_field_name' => $this->defaultFieldName,
+
             'csrf_message' => 'The CSRF token is invalid. Please try to resubmit the form.',
             'csrf_token_manager' => $this->defaultTokenManager,
             'csrf_token_id' => null,
+
+            'csrf_data_attr' => 'csrf-protection',
         ]);
+
+        $resolver->setAllowedTypes('csrf_protection', 'bool');
+        $resolver->setAllowedTypes('csrf_field_name', 'string');
+        $resolver->setAllowedTypes('csrf_message', 'string');
+        $resolver->setAllowedTypes('csrf_token_manager', CsrfTokenManagerInterface::class);
+        $resolver->setAllowedTypes('csrf_token_id', ['null', 'string']);
+        $resolver->setAllowedTypes('csrf_data_attr', ['null', 'string']);
     }
 
     public static function getExtendedTypes(): iterable
 
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.2
+---
+
+ * Add `DoubleSubmitCsrfTokenManager`
+
 6.0
 ---
 
 
@@ -0,0 +1,188 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Csrf;
+
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+
+/**
+ * This CSRF token manager uses a combination of cookie and headers to validate non-persistent tokens.
+ *
+ * This manager is designed to be stateless and compatible with HTTP-caching.
+
+ * First, we validate the source of the request using the Origin/Referer headers. This relies
+ * on the app being able to know its own target origin. Don't miss configuring your reverse proxy to
+ * send the X-Forwarded-* / Forwarded headers if you're behind one.
+ *
+ * Then, we validate the request using a cookie and a custom header. If present, both should contain
+ * the same token value. A JavaScript snippet on the client side is responsible performing this
+ * double-submission. The token value should be regenerated on every request using a cryptographically
+ * secure random generator.
+ *
+ * If either double-submit or Origin/Referer headers are missing, it typically indicates that
+ * JavaScript is disabled on the client side, or that the JavaScript snippet was not properly
+ * implemented, or that the Origin/Referer headers were filtered out.
+ *
+ * Requests lacking both double-submit and origin information are deemed insecure.
+ *
+ * When a session is found, a behavioral check is added to ensure that the validation method does not
+ * downgrade from double-submit to origin checks. This prevents attackers from exploiting potentially
+ * less secure validation methods once a more secure method has been confirmed as functional.
+ *
+ * On HTTPS connections, the cookie is prefixed with "__Host-" to prevent it from being forged on an
+ * HTTP channel. On the JS side, the cookie should be set with samesite=strict to strenghen the CSRF
+ * protection. The cookie is always cleared on the response to prevent any further use of the token.
+ *
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+final class DoubleSubmitCsrfTokenManager implements CsrfTokenManagerInterface
+{
+    public const TOKEN_MIN_LENGTH = 32;
+
+    public function __construct(
+        private RequestStack $requestStack,
+        private ?LoggerInterface $logger = null,
+        private string $headerName = 'x-csrf-token',
+    ) {
+    }
+
+    public function getToken(string $tokenId): CsrfToken
+    {
+        return new CsrfToken($tokenId, $this->headerName);
+    }
+
+    public function refreshToken(string $tokenId): CsrfToken
+    {
+        return new CsrfToken($tokenId, $this->headerName);
+    }
+
+    public function removeToken(string $tokenId): ?string
+    {
+        return null;
+    }
+
+    public function isTokenValid(CsrfToken $token): bool
+    {
+        // This token is not for us
+        if ($token->getValue() !== $this->headerName) {
+            $this->logger?->debug('CSRF validation failed: Unknown CSRF token.');
+
+            return false;
+        }
+
+        if (!$request = $this->requestStack->getCurrentRequest()) {
+            $this->logger?->debug('CSRF validation failed: No request found.');
+
+            return false;
+        }
+
+        if (false === $isValidOrigin = $this->isValidOrigin($request)) {
+            $this->logger?->debug('CSRF validation failed: Origin doesn\'t match.');
+
+            return false;
+        }
+
+        if ($this->isValidDoubleSubmit($request)) {
+            // Mark the request as validated using double-submit info
+            $request->attributes->set($this->headerName, 'double-submit');
+            $this->logger?->debug('CSRF validation accepted using double-submit info.');
+
+            return true;
+        }
+
+        // Opportunistically lookup at the session for a previous CSRF validation strategy
+        $session = $request->hasPreviousSession() ? $request->getSession() : null;
+        $usageIndexValue = $session instanceof Session ? $usageIndexReference = &$session->getUsageIndex() : 0;
+        $usageIndexReference = \PHP_INT_MIN;
+        $csrfProtection = $session?->get($this->headerName);
+        $usageIndexReference = $usageIndexValue;
+
+        // If a previous request was validated using double-submit info, stick to it
+        if ('double-submit' === $csrfProtection) {
+            $this->logger?->debug('CSRF validation failed: double-submit info was used in a previous request but didn\'t pass this time.');
+
+            return false;
+        }
+
+        // If a previous request was validated using origin info, stick to it
+        if ('origin' === $csrfProtection && null === $isValidOrigin) {
+            $this->logger?->debug('CSRF validation failed: origin info was used in a previous request but didn\'t pass this time.');
+
+            return false;
+        }
+
+        if (true === $isValidOrigin) {
+            // Mark the request as validated using origin info
+            $request->attributes->set($this->headerName, 'origin');
+            $this->logger?->debug('CSRF validation accepted using origin info.');
+
+            return true;
+        }
+
+        $this->logger?->debug('CSRF validation failed: double-submit and origin info not found.');
+
+        return false;
+    }
+
+    public function clearCookie(Request $request, Response $response): void
+    {
+        $cookieName = ($request->isSecure() ? '__Host-' : '').$this->headerName;
+
+        if ($request->cookies->has($cookieName)) {
+            $response->headers->clearCookie($cookieName, '/', null, $request->isSecure(), false, 'strict');
+        }
+    }
+
+    public function persistStrategy(Request $request): void
+    {
+        if ($request->hasSession(true) && $request->attributes->has($this->headerName)) {
+            $request->getSession()->set($this->headerName, $request->attributes->get($this->headerName));
+        }
+    }
+
+    public function onKernelResponse(ResponseEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $this->clearCookie($event->getRequest(), $event->getResponse());
+        $this->persistStrategy($event->getRequest());
+    }
+
+    /**
+     * @return bool|null Whether the origin is valid, null if missing
+     */
+    private function isValidOrigin(Request $request): ?bool
+    {
+        $source = $request->headers->get('Origin') ?? $request->headers->get('Referer') ?? 'null';
+
+        return 'null' === $source ? null : str_starts_with($source.'/', $request->getScheme().'://'.$request->getHttpHost().'/');
+    }
+
+    private function isValidDoubleSubmit(Request $request): bool
+    {
+        $token = $request->headers->get($this->headerName);
+
+        if (!\is_string($token) || \strlen($token) < self::TOKEN_MIN_LENGTH) {
+            return false;
+        }
+
+        $cookieName = ($request->isSecure() ? '__Host-' : '').$this->headerName;
+
+        return $request->cookies->get($cookieName) === $token;
+    }
+}