diff --git a/apps/advanced/backend/views/layouts/main.php b/apps/advanced/backend/views/layouts/main.php
index 4122a9f8a6..10a688a136 100644
--- a/apps/advanced/backend/views/layouts/main.php
+++ b/apps/advanced/backend/views/layouts/main.php
@@ -17,6 +17,7 @@ AppAsset::register($this);
+
<?= Html::encode($this->title) ?>
head() ?>
diff --git a/apps/advanced/frontend/views/layouts/main.php b/apps/advanced/frontend/views/layouts/main.php
index df9fa6c9da..9f6f0ab782 100644
--- a/apps/advanced/frontend/views/layouts/main.php
+++ b/apps/advanced/frontend/views/layouts/main.php
@@ -18,6 +18,7 @@ AppAsset::register($this);
+
<?= Html::encode($this->title) ?>
head() ?>
diff --git a/apps/basic/views/layouts/main.php b/apps/basic/views/layouts/main.php
index 6af9564ab3..53a9354ff2 100644
--- a/apps/basic/views/layouts/main.php
+++ b/apps/basic/views/layouts/main.php
@@ -17,6 +17,7 @@ AppAsset::register($this);
+
<?= Html::encode($this->title) ?>
head() ?>
diff --git a/extensions/apidoc/templates/bootstrap/layouts/main.php b/extensions/apidoc/templates/bootstrap/layouts/main.php
index d71e156022..e1122758cc 100644
--- a/extensions/apidoc/templates/bootstrap/layouts/main.php
+++ b/extensions/apidoc/templates/bootstrap/layouts/main.php
@@ -30,6 +30,7 @@ $this->beginPage();
+
head() ?>
<?= Html::encode($this->context->pageTitle) ?>
diff --git a/extensions/debug/views/layouts/main.php b/extensions/debug/views/layouts/main.php
index 1b3043ed52..0b865c5c9b 100644
--- a/extensions/debug/views/layouts/main.php
+++ b/extensions/debug/views/layouts/main.php
@@ -13,6 +13,7 @@ yii\debug\DebugAsset::register($this);
+
<?= Html::encode($this->title) ?>
head() ?>
diff --git a/extensions/gii/views/layouts/main.php b/extensions/gii/views/layouts/main.php
index 7f9aca770f..ea17be8941 100644
--- a/extensions/gii/views/layouts/main.php
+++ b/extensions/gii/views/layouts/main.php
@@ -15,6 +15,7 @@ $asset = yii\gii\GiiAsset::register($this);
+
<?= Html::encode($this->title) ?>
head() ?>
diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
index db5048dbe0..4103f51dfd 100644
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@@ -101,6 +101,7 @@ Yii Framework 2 Change Log
- Chg #2913: RBAC `DbManager` is now initialized via migration (samdark)
- Chg #3036: Upgraded Twitter Bootstrap to 3.1.x (qiangxue)
- Chg #3175: InvalidCallException, InvalidParamException, UnknownMethodException are now extended from SPL BadMethodCallException (samdark)
+- Chg #3358: Removed automatic CSRF meta tag generation by `View`. Added `Html::csrfMetaTags()` and its call to main layout files (qiangxue)
- Chg #3383: Added `$type` parameter to `IdentityInterface::findIdentityByAccessToken()` (qiangxue)
- Chg #3531: \yii\grid\GridView now allows any character (except ":") in the attribute part of the shorthand syntax for columns (rawtaz)
- Chg #3544: Added `$key` as a parameter to the callable specified via `yii\grid\DataColumn::value` (mdmunir)
diff --git a/framework/UPGRADE.md b/framework/UPGRADE.md
index ba94b5f10a..0e4c751d06 100644
--- a/framework/UPGRADE.md
+++ b/framework/UPGRADE.md
@@ -49,4 +49,7 @@ Upgrade from Yii 2.0 Beta
You can add it with `ALTER TABLE log ADD COLUMN prefix TEXT AFTER log_time;`.
* The `fileinfo` PHP extension is now required by Yii. If you use `yii\helpers\FileHelper::getMimeType()`, make sure
- you have enabled this extension. This extension is [builtin](http://www.php.net/manual/en/fileinfo.installation.php) in php above `5.3`.
\ No newline at end of file
+ you have enabled this extension. This extension is [builtin](http://www.php.net/manual/en/fileinfo.installation.php) in php above `5.3`.
+
+* Please update your main layout file by adding this line in the `` section: ``.
+ This change is needed because `yii\web\View` no longer automatically generates CSRF meta tags due to issue #3358.
diff --git a/framework/helpers/BaseHtml.php b/framework/helpers/BaseHtml.php
index 9be956be74..cfdc97c82c 100644
--- a/framework/helpers/BaseHtml.php
+++ b/framework/helpers/BaseHtml.php
@@ -248,6 +248,22 @@ class BaseHtml
}
}
+ /**
+ * Generates the meta tags containing CSRF token information.
+ * @return string the generated meta tags
+ * @see Request::enableCsrfValidation
+ */
+ public static function csrfMetaTags()
+ {
+ $request = Yii::$app->getRequest();
+ if ($request instanceof Request && $request->enableCsrfValidation) {
+ return static::tag('meta', '', ['name' => 'csrf-param', 'content' => $request->csrfParam]) . "\n "
+ . static::tag('meta', '', ['name' => 'csrf-token', 'content' => $request->getCsrfToken()]) . "\n";
+ } else {
+ return '';
+ }
+ }
+
/**
* Generates a form start tag.
* @param array|string $action the form action URL. This parameter will be processed by [[Url::to()]].
diff --git a/framework/web/Request.php b/framework/web/Request.php
index 06152d80d6..e521415db2 100644
--- a/framework/web/Request.php
+++ b/framework/web/Request.php
@@ -104,6 +104,7 @@ class Request extends \yii\base\Request
*
* In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via `yii.getCsrfParam()` and
* `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered.
+ * You also need to include CSRF meta tags in your pages by using [[\yii\helpers\Html::csrfMetaTags()]].
*
* @see Controller::enableCsrfValidation
* @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
diff --git a/framework/web/View.php b/framework/web/View.php
index 8818d36fa5..4b2a760e09 100644
--- a/framework/web/View.php
+++ b/framework/web/View.php
@@ -460,12 +460,6 @@ class View extends \yii\base\View
$lines[] = implode("\n", $this->metaTags);
}
- $request = Yii::$app->getRequest();
- if ($request instanceof \yii\web\Request && $request->enableCsrfValidation && !$request->getIsAjax()) {
- $lines[] = Html::tag('meta', '', ['name' => 'csrf-param', 'content' => $request->csrfParam]);
- $lines[] = Html::tag('meta', '', ['name' => 'csrf-token', 'content' => $request->getCsrfToken()]);
- }
-
if (!empty($this->linkTags)) {
$lines[] = implode("\n", $this->linkTags);
}