Problem/Motivation
- #2559011: Ensure form tokens are marked max-age=0 made sure the form token (a CSRF token) was only set for authenticated users, and ensured it specified
max-age=0. - #2571995: GET forms shouldn't have CSRF tokens by default refined this to make sure that GET forms don't get a form token by default, i.e. only POST forms get this.
- #2463567: Push CSRF tokens for forms to placeholders + #lazy_builder then moves the rendering of the form token into a
#lazy_buildercallback, which means the rendered form can actually be cached, because the form token is rendered later, and therefore the rendered form is not always by definition bound to the current user/session, which is what made it uncacheable. But it keeps themax-age=0that point 1 introduced, because removing that merits further discussion. - This issue is about removing the
max-age=0that point 1 introduced, and having that further discussion.
#2552873-18: node/1 flamegraphs also points out how #2571909: CommentForm selects using the user formatted name caused a very big performance regression. #2571909 made the comment form no longer personalized per user, so we thought we made the form cacheable. But we forgot about the form token setting max-age=0, which then makes the full node display uncacheable!
Proposed resolution
Remove max-age=0.
Remaining tasks
TBD.
User interface changes
None.
API changes
None.
Data model changes
None.
Why this should (maybe) be an RC target
This is a significant performance improvement, but also a significant change in behavior. See #27 through #31.