New in Symfony 5.1: The "safe" HTTP Preference

March 11, 2020 Published by Avatar of Javier Eguiluz Javier Eguiluz

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

LoΓ―ck Piera

Contributed by
LoΓ―ck Piera
in #34847.

Some web sites have a "safe" mode to assist those who don't want to be exposed to content to which they might object. Instead of configuring this option for each web site, browser can indicate your safe preference to all web sites.

This feature is fully explained in the RFC 8674 document. Broadly speaking, browsers requesting safe content add the Prefer: safe HTTP header and servers honoring it include these headers in their responses: Preference-Applied: safe and Vary: Prefer.

In Symfony 5.1, we added support for this feature in the HttpFoundation component. First, you can check if a user requested safe content:

1
2
3
4
// $request is an instance of Symfony\Component\HttpFoundation\Request
if ($request->preferSafeContent()) {
    // ...
}

If you fulfilled the safe request, use the setContentSafe() method on the response to add the needed HTTP headers:

1
2
3
4
use Symfony\Component\HttpFoundation\Response;

$response = new Response('...');
$response->setContentSafe();

An important thing to keep in mind is that the RFC 8674 specification doesn't define what can be considered as "safe content". Each web site decides which of their contents are objectionable or unsafe in some way.

Published in #Living on the edge

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

Comments

Avatar of Yannick
Yannick said on Mar 11, 2020
Apple has a list of what they consider unsafe content : objectionable content.
https://developer.apple.com/app-store/review/guidelines/#safety

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.