From df13b061f2f6ba10beae64d9b358c0365736370e Mon Sep 17 00:00:00 2001
From: Bogdan Udrescu <bogdan@vaadin.com>
Date: Wed, 9 Jul 2014 18:40:26 +0300
Subject: Remove csrfToken if disable-xsrf-protection is true (#14111)

If the server sends no token and the client value remains "init" then
it's not sent back to the server.

Change-Id: I74fc470c5c22d57c4a48eab3e4476ae4cc2dd242
---
 .../src/com/vaadin/shared/ApplicationConstants.java  | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

(limited to 'shared')

diff --git a/shared/src/com/vaadin/shared/ApplicationConstants.java b/shared/src/com/vaadin/shared/ApplicationConstants.java
index da4ac7450d..15eefe3b21 100644
--- a/shared/src/com/vaadin/shared/ApplicationConstants.java
+++ b/shared/src/com/vaadin/shared/ApplicationConstants.java
@@ -1,12 +1,12 @@
 /*
  * Copyright 2000-2014 Vaadin Ltd.
- * 
+ *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy of
  * the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
@@ -86,7 +86,7 @@ public class ApplicationConstants implements Serializable {
     /**
      * The name of the debug version of the javascript containing push support.
      * The file is located in the VAADIN directory.
-     * 
+     *
      * @since 7.1.6
      */
     public static final String VAADIN_PUSH_DEBUG_JS = "vaadinPush.debug.js";
@@ -98,14 +98,14 @@ public class ApplicationConstants implements Serializable {
 
     /**
      * The name of the parameter used to transmit RPC invocations
-     * 
+     *
      * @since 7.2
      */
     public static final String RPC_INVOCATIONS = "rpc";
 
     /**
      * The name of the parameter used to transmit the CSRF token
-     * 
+     *
      * @since 7.2
      */
     public static final String CSRF_TOKEN = "csrfToken";
@@ -114,9 +114,15 @@ public class ApplicationConstants implements Serializable {
      * The name of the parameter used to transmit the sync id. The value can be
      * set to -1 e.g. when testing with pre-recorded requests to make the
      * framework ignore the sync id.
-     * 
+     *
      * @see com.vaadin.ui.ConnectorTracker#getCurrentSyncId()
      * @since 7.2
      */
     public static final String SERVER_SYNC_ID = "syncId";
+
+    /**
+     * Default value to use in case the security protection is disabled.
+     */
+    public static final String CSRF_TOKEN_DEFAULT_VALUE = "init";
+
 }
-- 
cgit v1.2.3