diff options
author | Ilia Motornyi <elmot@vaadin.com> | 2018-07-11 13:24:21 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-07-11 13:24:21 +0300 |
commit | ceb9593f5d08814dd0dfe4d83030fc403078b5cd (patch) | |
tree | e6fa02ea85f407cb8b6cf669f462b670b08809c2 /client | |
parent | b7ac760a0c26d0edc7aa532281a9085766a99a3f (diff) | |
download | vaadin-framework-ceb9593f5d08814dd0dfe4d83030fc403078b5cd.tar.gz vaadin-framework-ceb9593f5d08814dd0dfe4d83030fc403078b5cd.zip |
Add xsrf token header if cookie is present (#11034)
Fixes #9471
Diffstat (limited to 'client')
-rw-r--r-- | client/src/main/java/com/vaadin/client/communication/Heartbeat.java | 2 | ||||
-rw-r--r-- | client/src/main/java/com/vaadin/client/communication/XhrConnection.java | 14 |
2 files changed, 16 insertions, 0 deletions
diff --git a/client/src/main/java/com/vaadin/client/communication/Heartbeat.java b/client/src/main/java/com/vaadin/client/communication/Heartbeat.java index 90dcec1c56..83cdbe5b3a 100644 --- a/client/src/main/java/com/vaadin/client/communication/Heartbeat.java +++ b/client/src/main/java/com/vaadin/client/communication/Heartbeat.java @@ -82,6 +82,8 @@ public class Heartbeat { final RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, uri); + XhrConnection.addXsrfHeaderFromCookie(rb); + final RequestCallback callback = new RequestCallback() { @Override diff --git a/client/src/main/java/com/vaadin/client/communication/XhrConnection.java b/client/src/main/java/com/vaadin/client/communication/XhrConnection.java index 629d1b4cd8..1efde0fb42 100644 --- a/client/src/main/java/com/vaadin/client/communication/XhrConnection.java +++ b/client/src/main/java/com/vaadin/client/communication/XhrConnection.java @@ -22,6 +22,7 @@ import com.google.gwt.http.client.RequestBuilder; import com.google.gwt.http.client.RequestCallback; import com.google.gwt.http.client.RequestException; import com.google.gwt.http.client.Response; +import com.google.gwt.user.client.Cookies; import com.google.gwt.user.client.Timer; import com.google.gwt.user.client.Window; import com.vaadin.client.ApplicationConnection; @@ -49,6 +50,9 @@ import elemental.json.JsonObject; */ public class XhrConnection { + private static final String XSRF_HEADER_NAME = "X-XSRF-TOKEN"; + private static final String XSRF_COOKIE_NAME = "XSRF-TOKEN"; + private ApplicationConnection connection; /** @@ -183,6 +187,9 @@ public class XhrConnection { */ public void send(JsonObject payload) { RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, getUri()); + + addXsrfHeaderFromCookie(rb); + // TODO enable timeout // rb.setTimeoutMillis(timeoutMillis); // TODO this should be configurable @@ -244,6 +251,13 @@ public class XhrConnection { return connection.getMessageHandler(); } + public static void addXsrfHeaderFromCookie(RequestBuilder rb) { + String xsrfTokenVal = Cookies.getCookie(XSRF_COOKIE_NAME); + if (xsrfTokenVal != null && !xsrfTokenVal.isEmpty()) { + rb.setHeader(XSRF_HEADER_NAME, xsrfTokenVal); + } + } + private static native boolean resendRequest(Request request) /*-{ var xhr = request.@com.google.gwt.http.client.Request::xmlHttpRequest |