Add xsrf token header if cookie is present (#11034)

Fixes #9471

3 files changed, 27 insertions, 0 deletions

diff --git a/client/src/main/java/com/vaadin/client/communication/Heartbeat.java b/client/src/main/java/com/vaadin/client/communication/Heartbeat.java
index 90dcec1c56..83cdbe5b3a 100644
--- a/client/src/main/java/com/vaadin/client/communication/Heartbeat.java
+++ b/client/src/main/java/com/vaadin/client/communication/Heartbeat.java
@@ -82,6 +82,8 @@ public class Heartbeat {
 
         final RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, uri);
 
+        XhrConnection.addXsrfHeaderFromCookie(rb);
+
         final RequestCallback callback = new RequestCallback() {
 
             @Override
diff --git a/client/src/main/java/com/vaadin/client/communication/XhrConnection.java b/client/src/main/java/com/vaadin/client/communication/XhrConnection.java
index 629d1b4cd8..1efde0fb42 100644
--- a/client/src/main/java/com/vaadin/client/communication/XhrConnection.java
+++ b/client/src/main/java/com/vaadin/client/communication/XhrConnection.java
@@ -22,6 +22,7 @@ import com.google.gwt.http.client.RequestBuilder;
 import com.google.gwt.http.client.RequestCallback;
 import com.google.gwt.http.client.RequestException;
 import com.google.gwt.http.client.Response;
+import com.google.gwt.user.client.Cookies;
 import com.google.gwt.user.client.Timer;
 import com.google.gwt.user.client.Window;
 import com.vaadin.client.ApplicationConnection;
@@ -49,6 +50,9 @@ import elemental.json.JsonObject;
  */
 public class XhrConnection {
 
+    private static final String XSRF_HEADER_NAME = "X-XSRF-TOKEN";
+    private static final String XSRF_COOKIE_NAME = "XSRF-TOKEN";
+
     private ApplicationConnection connection;
 
     /**
@@ -183,6 +187,9 @@ public class XhrConnection {
      */
     public void send(JsonObject payload) {
         RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, getUri());
+
+        addXsrfHeaderFromCookie(rb);
+
         // TODO enable timeout
         // rb.setTimeoutMillis(timeoutMillis);
         // TODO this should be configurable
@@ -244,6 +251,13 @@ public class XhrConnection {
         return connection.getMessageHandler();
     }
 
+    public static void addXsrfHeaderFromCookie(RequestBuilder rb) {
+        String xsrfTokenVal = Cookies.getCookie(XSRF_COOKIE_NAME);
+        if (xsrfTokenVal != null && !xsrfTokenVal.isEmpty()) {
+            rb.setHeader(XSRF_HEADER_NAME, xsrfTokenVal);
+        }
+    }
+
     private static native boolean resendRequest(Request request)
     /*-{
         var xhr = request.@com.google.gwt.http.client.Request::xmlHttpRequest
diff --git a/server/src/main/resources/VAADIN/vaadinBootstrap.js b/server/src/main/resources/VAADIN/vaadinBootstrap.js
index 7cf133ac56..a6830f434b 100644
--- a/server/src/main/resources/VAADIN/vaadinBootstrap.js
+++ b/server/src/main/resources/VAADIN/vaadinBootstrap.js
@@ -37,6 +37,11 @@
         }
     };
 
+    var getCookie = function (cname) {
+        var b = document.cookie.match('(^|;)\\s*' + cname + '\\s*=\\s*([^;]+)');
+        return b ? b.pop() : '';
+    };
+
     var isWidgetsetLoaded = function (widgetset) {
         var className = widgetset.replace(/\./g, "_");
         return (typeof window[className]) != "undefined";
@@ -195,6 +200,12 @@
                 };
                 // send parameters as POST data
                 r.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+
+                var xsrfToken = getCookie("XSRF-TOKEN");
+                if (xsrfToken && xsrfToken.length > 0) {
+                    r.setRequestHeader("X-XSRF-TOKEN", xsrfToken);
+                }
+
                 r.send(params);
 
                 log('sending request to ', url);