As a temporary measure until we have cacheable CSRF: let all forms add a csrf_token cache context? [#2467425]

Problem/Motivation

Currently, forms don't mark themselves as uncacheable. Even though only GET forms and forms for anon users are actually cacheable.

Proposed resolution

Until CSRF tokens are cacheable, add a csrf_token cache context and automatically add it to every form (except GET forms and except forms for anon users).

Correctness first.

Remaining tasks

TBD

User interface changes

None.

API changes

None.

Comments

Comment #1

Wim Leers

Ghent 🇧🇪🇪🇺

CreditAttribution: Wim Leers at Acquia commented 8 April 2015 at 11:15

Related issues:

+#2467373: Support block caching

Related D8 contrib issue.

Comment #2

Wim Leers

Ghent 🇧🇪🇪🇺

CreditAttribution: Wim Leers at Acquia commented 7 October 2015 at 14:08

Status:	Active	» Closed (duplicate)
Related issues:		+#2463567: Push CSRF tokens for forms to placeholders + #lazy_builder

#2463567: Push CSRF tokens for forms to placeholders + #lazy_builder and related issues have made this obsolete.

As a temporary measure until we have cacheable CSRF: let all forms add a csrf_token cache context?

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Comments

Comment #1

Comment #2

Parent issue

Related issues

Referenced by

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community