Deprecate the storefront CSRF implementation

INFO

This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here

Context

With browsers evolving and dropping support for older browser in 6.5 we have wide support for SameSite cookies.
The current CSRF implementation adds a lot of complexity to all forms and ajax calls in the Storefront.
The CSRF protection does not add a great improvement in security due to the SameSite strategy.

Decision

We remove the CSRF protection in favor of SameSite cookies which are used and prevent CSRF attacks already.

Consequences

All CSRF implementations in the Storefront will be removed.

Catalog

Checkout

Content

Architecture

Setups

Plugins

Plugin fundamentals

Checkout

Cart

Document

Order

Payment

Content

CMS

Mail

Media

SEO

Sitemap

Stock

Elasticsearch

Framework

Data Handling / DataAbstractionLayer

Custom Fields

Event

Extension Points

Message Queue

Rule

Store API

Filesystem

Flow

Rate Limiter

System Checks

Administration

Advanced configuration

Data handling processing

Mixins directives

Module component management

Permissions error handling

Routing navigation

Services utilities

System updates

Templates styling

Ui ux

Storefront

Testing

Cypress End-to-end testing

Playwright E2E testing

API

Themes

Apps

App Starter Guides

App SDKs

Official JavaScript SDK

Official PHP SDK

App Scripts

Storefront

Administration

Flow Builder

Custom Data

Content

CMS

Rule Builder

Gateways

Checkout

Context

In app purchase

Installation & Updates

Deployments

Configurations

Shopware

Framework

Observability

Performance

Infrastructure

Elasticsearch

General Concepts

Migration Assistant

Concept

Guides

B2B Suite