// This does not apply to programmatically submitted forms. Furthermore,
// since tokens are session-bound and forms displayed to anonymous users are
// very likely cached, we cannot assign a token for them.
// During installation, there is no $user yet.
// Form constructors may explicitly set #token to FALSE when cross site
// request forgery is irrelevant to the form, such as search forms.
if ($form_state->
isProgrammed() || (isset($form['#token'
]) &&
$form['#token'
] === FALSE
)) { unset($form['#token'
]);
} else { $form['#cache'
]['contexts'
][] = 'user.roles:authenticated';
if ($user &&
$user->
isAuthenticated()) { // Generate a public token and placeholder based on the form ID.
$placeholder = 'form_token_placeholder_' . Crypt::
hashBase64($form_id);
$form['#token'
] =
$placeholder;
$form['form_token'
] =
[ '#id' => Html::
getUniqueId('edit-' .
$form_id . '-form-token'
),
'#type' => 'token',
'#default_value' =>
$placeholder,
// Form processing and validation require this value. Ensure the
// submitted form value appears literally, regardless of custom #tree
// and #parents being set elsewhere.