Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Currently, forms don't mark themselves as uncacheable. Even though only GET forms and forms for anon users are actually cacheable.
Proposed resolution
Until CSRF tokens are cacheable, add a csrf_token
cache context and automatically add it to every form (except GET forms and except forms for anon users).
Correctness first.
Remaining tasks
TBD
User interface changes
None.
API changes
None.
Comments
Comment #1
Wim LeersRelated D8 contrib issue.
Comment #2
Wim Leers#2463567: Push CSRF tokens for forms to placeholders + #lazy_builder and related issues have made this obsolete.