diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php index d54162b..8cad1b1 100644 --- a/DependencyInjection/Configuration.php +++ b/DependencyInjection/Configuration.php @@ -23,6 +23,7 @@ public function getConfigTreeBuilder(): TreeBuilder ->integerNode('expire')->defaultValue(0)->end() ->scalarNode('path')->cannotBeEmpty()->defaultValue('/')->end() ->scalarNode('domain')->defaultNull()->end() + ->booleanNode('httpOnly')->defaultFalse()->end() ->booleanNode('secure')->defaultFalse()->end() ->scalarNode('header')->cannotBeEmpty()->defaultValue('X-XSRF-TOKEN')->end() ->scalarNode('sameSite')->cannotBeEmpty()->defaultValue(Cookie::SAMESITE_LAX)->end() diff --git a/DependencyInjection/DneustadtCsrfCookieExtension.php b/DependencyInjection/DneustadtCsrfCookieExtension.php index 010e54b..bcef6c9 100644 --- a/DependencyInjection/DneustadtCsrfCookieExtension.php +++ b/DependencyInjection/DneustadtCsrfCookieExtension.php @@ -22,6 +22,7 @@ public function load(array $configs, ContainerBuilder $container): void $container->setParameter('dneustadt_csrf_cookie.expire', $config['expire']); $container->setParameter('dneustadt_csrf_cookie.path', $config['path']); $container->setParameter('dneustadt_csrf_cookie.domain', $config['domain']); + $container->setParameter('dneustadt_csrf_cookie.httpOnly', $config['httpOnly']); $container->setParameter('dneustadt_csrf_cookie.secure', $config['secure']); $container->setParameter('dneustadt_csrf_cookie.header', $config['header']); $container->setParameter('dneustadt_csrf_cookie.sameSite', $config['sameSite']); diff --git a/README.md b/README.md index 083f0a1..df1f196 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,8 @@ dneustadt_csrf_cookie: path: / # Cookie domain domain: null + # Cookie HttpOnly + httpOnly: true # Cookie secure secure: false # Name of the HTTP header the token is expected to be stored in diff --git a/Resources/config/services.yaml b/Resources/config/services.yaml index 297cf07..2bd24b4 100644 --- a/Resources/config/services.yaml +++ b/Resources/config/services.yaml @@ -11,6 +11,7 @@ services: $cookieExpire: '%dneustadt_csrf_cookie.expire%' $cookiePath: '%dneustadt_csrf_cookie.path%' $cookieDomain: '%dneustadt_csrf_cookie.domain%' + $cookieHttpOnly: '%dneustadt_csrf_cookie.httpOnly%' $cookieSecure: '%dneustadt_csrf_cookie.secure%' $cookieHeader: '%dneustadt_csrf_cookie.header%' $cookieSameSite: '%dneustadt_csrf_cookie.sameSite%' diff --git a/Service/CsrfRequestEvaluator.php b/Service/CsrfRequestEvaluator.php index a7a8b1b..99b3d4c 100644 --- a/Service/CsrfRequestEvaluator.php +++ b/Service/CsrfRequestEvaluator.php @@ -52,6 +52,11 @@ class CsrfRequestEvaluator */ protected $cookieDomain; + /** + * @var bool + */ + protected $cookieHttpOnly; + /** * @var bool */ @@ -75,6 +80,7 @@ public function __construct( int $cookieExpire, string $cookiePath, ?string $cookieDomain, + bool $cookieHttpOnly, bool $cookieSecure, string $cookieHeader, string $cookieSameSite @@ -86,6 +92,7 @@ public function __construct( $this->cookieExpire = $cookieExpire; $this->cookiePath = $cookiePath; $this->cookieDomain = $cookieDomain; + $this->cookieHttpOnly = $cookieHttpOnly; $this->cookieSecure = $cookieSecure; $this->cookieHeader = $cookieHeader; $this->cookieSameSite = $cookieSameSite; @@ -143,7 +150,7 @@ public function setCookie(Request $request, Response $response): void $this->cookiePath, $this->cookieDomain, $this->cookieSecure, - false, + $this->cookieHttpOnly, false, $this->cookieSameSite )