People attempting to user Symfony forms have a lot of issues with ezformtoken.
Current workarounds are to either manually add legacy formtoken to the form in addition to the main one already there added by the symfony forms code, another is to completely disable it for frontend combined with disallowing login in frontend to avoid attacks there, only enabling it for backend.
Reason for the issue is in most cases:
- symfony csrf intention property for legacy kernel (ezformtoken) is "legacy"
- while for REST and symfony forms it is, and should be for best practice, something else
It is impossible to detect this in legacy alone in a secure way.
However if all code calling legacy for low-level legacy callbacks got access to pass a feature flag to disable formtoken for the length of the callback, theoretically this would solve most of the issues and avoid needs for workarounds.