From a1c303bfb4dbd0586763ad4f8232673d5b042f24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Deruss=C3=A9?= <jeremy@derusse.com>
Date: Sat, 23 Jan 2021 21:37:54 +0100
Subject: [PATCH] Add documentation about breach

---
 security/csrf.rst | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/security/csrf.rst b/security/csrf.rst
index ac8e840c978..7058fb88478 100644
--- a/security/csrf.rst
+++ b/security/csrf.rst
@@ -85,7 +85,7 @@ this can be customized on a form-by-form basis::
 
     // src/Form/TaskType.php
     namespace App\Form;
-    
+
     // ...
     use App\Entity\Task;
     use Symfony\Component\OptionsResolver\OptionsResolver;
@@ -162,4 +162,19 @@ to check its validity::
         }
     }
 
+CSRF Tokens and Compression Side-Channel Attacks
+------------------------------------------------
+
+`BREACH`_ and `CRIME`_ are security exploits against HTTPS when using HTTP
+compression. Attacker can leverage information leaked by compression to recover
+targeted parts of the plaintext. To mitigate these attacks, and prevent an
+attacker from guessing the CSRF tokens, a random mask is prepended to the token
+and used to scramble it.
+
+.. versionadded:: 5.3
+
+    The randomization of tokens was introduced in Symfony 5.3
+
 .. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery
+.. _`BREACH`: https://en.wikipedia.org/wiki/BREACH
+.. _`CRIME`: https://en.wikipedia.org/wiki/CRIME