[5.x] Decouple CSRF token from nocache script #11014
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR takes another stab at #10306 which was reverted in #10898. The
nocache_js_position
config option introduced in the latter PR isn't optimal as you've got to pick your poison and choose between Livewire or nocache to work as expected.This PR picks up on the idea pointed out here and extracts the CSRF token replacer script from the nocache replacer script. The CSRF replacer script is inserted as the first script in the
head
, while the nocache replacer script is placed at the end of thebody
. This way, you don't have to pick the script's position and can have both Livewire and nocache work alongside each other.Introduced changes
The decoupled CSRF and nocache scripts are opt-in and can be activated in the
static_caching.php
config file:If set to
true
, the CSRF and nocache replacer scripts will be decoupled as described above. The setting defaults tofalse
, which enforces the current behaviour and will output one script containing both the CSRF and nocache replacer logic.Events
When the
decouple_nocache_scripts
setting is activated, thestatamic:nocache.replaced
event is no longer dispatched when the CSRF token is replaced. It is now only dispatched by the nocache script. A newstatamic:csrf.replaced
event is dispatched instead.Script replacement
When the
decouple_nocache_scripts
setting is activated, theStaticCache::nocacheJs($script)
method now only replaces the nocache script. It doesn't touch the CSRF token script. A newStaticCache::csrfTokenJs($script)
method is introduced to allow overriding the default CSRF script.Testing
Here's a basic layout that you can use for testing. Note, that the CSRF token is replaced and nocache also works. Make sure to enable the new config option and full static caching.
Minor breaking change
I've removed the
nocache_js_position
config option introduced in #10898 as it is obsolete now. I don't think this should trip up too many people and it hasn't even been documented yet. If removing this setting was overzealous, we could add it back and make it, that if it's set tohead
it will decouple the scripts, and if it's set tobody
it will output the merged scripts. This setting was only ever useful if you're using Livewire. And in that case, I think it's safe to decouple the scripts.For future simplicity, I also suggest removing the
decouple_nocache_scripts
feature flag for v6 and making this a breaking change.Let me know what you think.