2022-11-16 - Deprecate the Storefront CSRF implementation

INFO

This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here

Context

With browsers evolving and dropping support for older browser in 6.5 we have wide support for SameSite cookies.
The current CSRF implementation adds a lot of complexity to all forms and ajax calls in the Storefront.
The CSRF protection does not add a great improvement in security due to the SameSite strategy.

Decision

We remove the CSRF protection in favor of SameSite cookies which are used and prevent CSRF attacks already.

Consequences

All CSRF implementations in the Storefront will be removed.

Catalog

Checkout

Content

Architecture

Infrastructure

Elasticsearch

Installation & Updates

Deployments

Performance

Legacy Setups

Community Setups

General Concepts

Apps

Administration

Custom Data

Flow Builder

Hosting Guide

Local development

Rule Builder

App Starter Guides

Storefront

App Scripts

Content

CMS

Themes

Plugins

Administration

API

Checkout

Cart

Document

Order

Payment

Content

CMS

Mail

Media

SEO

Sitemap

Elasticsearch

Framework

Custom Fields

Data Handling / DataAbstractionLayer

Event

Filesystem

Flow

Message Queue

Rate Limiter

Rule

Store API

Storefront

Testing

Plugin fundamentals

Migration Assistant

Concept

Guides

Advanced Search

B2B Suite

Concepts

Guides

Storefront

Core

Code

Document

Fonts & Formats

Test

Testing guidelines for extensions

Administration Reference

General

Admin

Flow builder

API

App

Cache

Checkout

Content-management

DAL

Deployment

Extension

Inventory

2022-11-16 - Deprecate the Storefront CSRF implementation

Context

Decision

Consequences