Skip to content

fix(router)!: block all cross-site unsafe requests when using PreventCrossSiteRequestsMiddleware#2210

Merged
brendt merged 1 commit into
3.xfrom
fix/cross-site-unsafe-requests
Jul 15, 2026
Merged

fix(router)!: block all cross-site unsafe requests when using PreventCrossSiteRequestsMiddleware#2210
brendt merged 1 commit into
3.xfrom
fix/cross-site-unsafe-requests

Conversation

@innocenzi

@innocenzi innocenzi commented Jul 15, 2026

Copy link
Copy Markdown
Member

I initially implemented this with the idea that Tempest defaults to using LAX cookies, so sessions are not carried during cross-site POST requests.

However, it's better to special-case the routes that need support for this instead of it being allowed by default, so this PR changes that.

Marking as breaking because technically it is, payment provider flows might be affected and related routes will need to get hand-rolled protection.

@github-actions

Copy link
Copy Markdown

Benchmark Results

Comparison of fix/cross-site-unsafe-requests against 3.x (a919dec4b485a217888badd16ee5b5b307a1cf53).

Open to see the benchmark results
Benchmark Set Mem. Peak Time Variability
ViewRenderBench(benchPlainHtml) - 21.987mb 0.00% 483.843μs +8.58% ±1.25% -10.49%

Generated by phpbench against commit 1a5eb1a

@innocenzi innocenzi changed the title fix(router): block all cross-site unsafe requests when using PreventCrossSiteRequestsMiddleware fix(router)!: block all cross-site unsafe requests when using PreventCrossSiteRequestsMiddleware Jul 15, 2026
@brendt
brendt merged commit 64a5186 into 3.x Jul 15, 2026
82 of 84 checks passed
@brendt
brendt deleted the fix/cross-site-unsafe-requests branch July 15, 2026 12:03
@brendt

brendt commented Jul 15, 2026

Copy link
Copy Markdown
Member

Thanks to @edorian for flagging this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants