minor #14875 [Security] [csrf] Add documentation about breach (jderusse)

javiereguiluz · javiereguiluz · commit b999b356a772 · 2021-01-26T16:52:18.000+01:00
This PR was merged into the 5.3-dev branch. Discussion ---------- [Security] [csrf] Add documentation about breach fixes #14874 Commits ------- a1c303b Add documentation about breach
diff --git a/security/csrf.rst b/security/csrf.rst
@@ -85,7 +85,7 @@ this can be customized on a form-by-form basis::
 
     // src/Form/TaskType.php
     namespace App\Form;
-    
+
     // ...
     use App\Entity\Task;
     use Symfony\Component\OptionsResolver\OptionsResolver;
@@ -162,4 +162,19 @@ to check its validity::
         }
     }
 
+CSRF Tokens and Compression Side-Channel Attacks
+------------------------------------------------
+
+`BREACH`_ and `CRIME`_ are security exploits against HTTPS when using HTTP
+compression. Attacker can leverage information leaked by compression to recover
+targeted parts of the plaintext. To mitigate these attacks, and prevent an
+attacker from guessing the CSRF tokens, a random mask is prepended to the token
+and used to scramble it.
+
+.. versionadded:: 5.3
+
+    The randomization of tokens was introduced in Symfony 5.3
+
 .. _`Cross-site request forgery`: https://en.wikipedia.org/wiki/Cross-site_request_forgery
+.. _`BREACH`: https://en.wikipedia.org/wiki/BREACH
+.. _`CRIME`: https://en.wikipedia.org/wiki/CRIME
