2022-11-16 - Deprecate the Storefront CSRF implementation
INFO
This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here
Context
- With browsers evolving and dropping support for older browser in 6.5 we have wide support for SameSite cookies.
- The current CSRF implementation adds a lot of complexity to all forms and ajax calls in the Storefront.
- The CSRF protection does not add a great improvement in security due to the SameSite strategy.
Decision
- We remove the CSRF protection in favor of SameSite cookies which are used and prevent CSRF attacks already.
Consequences
- All CSRF implementations in the Storefront will be removed.