From ceb9593f5d08814dd0dfe4d83030fc403078b5cd Mon Sep 17 00:00:00 2001
From: Ilia Motornyi <elmot@vaadin.com>
Date: Wed, 11 Jul 2018 13:24:21 +0300
Subject: Add xsrf token header if cookie is present (#11034)

Fixes #9471
---
 .../java/com/vaadin/client/communication/Heartbeat.java    |  2 ++
 .../com/vaadin/client/communication/XhrConnection.java     | 14 ++++++++++++++
 2 files changed, 16 insertions(+)

(limited to 'client')

diff --git a/client/src/main/java/com/vaadin/client/communication/Heartbeat.java b/client/src/main/java/com/vaadin/client/communication/Heartbeat.java
index 90dcec1c56..83cdbe5b3a 100644
--- a/client/src/main/java/com/vaadin/client/communication/Heartbeat.java
+++ b/client/src/main/java/com/vaadin/client/communication/Heartbeat.java
@@ -82,6 +82,8 @@ public class Heartbeat {
 
         final RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, uri);
 
+        XhrConnection.addXsrfHeaderFromCookie(rb);
+
         final RequestCallback callback = new RequestCallback() {
 
             @Override
diff --git a/client/src/main/java/com/vaadin/client/communication/XhrConnection.java b/client/src/main/java/com/vaadin/client/communication/XhrConnection.java
index 629d1b4cd8..1efde0fb42 100644
--- a/client/src/main/java/com/vaadin/client/communication/XhrConnection.java
+++ b/client/src/main/java/com/vaadin/client/communication/XhrConnection.java
@@ -22,6 +22,7 @@ import com.google.gwt.http.client.RequestBuilder;
 import com.google.gwt.http.client.RequestCallback;
 import com.google.gwt.http.client.RequestException;
 import com.google.gwt.http.client.Response;
+import com.google.gwt.user.client.Cookies;
 import com.google.gwt.user.client.Timer;
 import com.google.gwt.user.client.Window;
 import com.vaadin.client.ApplicationConnection;
@@ -49,6 +50,9 @@ import elemental.json.JsonObject;
  */
 public class XhrConnection {
 
+    private static final String XSRF_HEADER_NAME = "X-XSRF-TOKEN";
+    private static final String XSRF_COOKIE_NAME = "XSRF-TOKEN";
+
     private ApplicationConnection connection;
 
     /**
@@ -183,6 +187,9 @@ public class XhrConnection {
      */
     public void send(JsonObject payload) {
         RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, getUri());
+
+        addXsrfHeaderFromCookie(rb);
+
         // TODO enable timeout
         // rb.setTimeoutMillis(timeoutMillis);
         // TODO this should be configurable
@@ -244,6 +251,13 @@ public class XhrConnection {
         return connection.getMessageHandler();
     }
 
+    public static void addXsrfHeaderFromCookie(RequestBuilder rb) {
+        String xsrfTokenVal = Cookies.getCookie(XSRF_COOKIE_NAME);
+        if (xsrfTokenVal != null && !xsrfTokenVal.isEmpty()) {
+            rb.setHeader(XSRF_HEADER_NAME, xsrfTokenVal);
+        }
+    }
+
     private static native boolean resendRequest(Request request)
     /*-{
         var xhr = request.@com.google.gwt.http.client.Request::xmlHttpRequest
-- 
cgit v1.2.3