diff --git a/mitmproxy/web/__init__.py b/mitmproxy/web/__init__.py index 357718f15..80a658863 100644 --- a/mitmproxy/web/__init__.py +++ b/mitmproxy/web/__init__.py @@ -87,9 +87,6 @@ class WebState(flow.State): data=[] ) - def load_flows(self, flows): - super(WebState, self).load_flows(flows) - class Options(object): attributes = [ diff --git a/mitmproxy/web/app.py b/mitmproxy/web/app.py index 50ee894b9..af2f6e8c4 100644 --- a/mitmproxy/web/app.py +++ b/mitmproxy/web/app.py @@ -390,7 +390,7 @@ class Application(tornado.web.Application): settings = dict( template_path=os.path.join(os.path.dirname(__file__), "templates"), static_path=os.path.join(os.path.dirname(__file__), "static"), - xsrf_cookies=False, + xsrf_cookies=True, cookie_secret=os.urandom(256), debug=debug, wauthenticator=wauthenticator, diff --git a/web/src/js/actions.js b/web/src/js/actions.js index 5c6f0167b..9325765b1 100644 --- a/web/src/js/actions.js +++ b/web/src/js/actions.js @@ -1,7 +1,6 @@ import $ from "jquery"; -import _ from "lodash"; import {AppDispatcher} from "./dispatcher.js"; -import {getCookie} from "./utils.js"; +import {fetchApi} from "./utils.js"; export var ActionTypes = { // Connection @@ -122,12 +121,10 @@ export var FlowActions = { download: () => window.location = "/flows/dump", upload: (file) => { - var xsrf = $.param({_xsrf: getCookie("_xsrf")}); - //console.log(xsrf); var filereader = new FileReader(); filereader.file = file; filereader.onload = (e) => { - fetch("/flows/dump?"+xsrf, { + fetchApi("/flows/dump", { method: 'post', body: e.currentTarget.result }) diff --git a/web/src/js/utils.js b/web/src/js/utils.js index 454bfe226..97737b201 100644 --- a/web/src/js/utils.js +++ b/web/src/js/utils.js @@ -76,11 +76,11 @@ export function reverseString(s) { ) + end; } -export function getCookie(name) { +function getCookie(name) { var r = document.cookie.match(new RegExp("\\b" + name + "=([^;]*)\\b")); return r ? r[1] : undefined; } -var xsrf = $.param({_xsrf: getCookie("_xsrf")}); +const xsrf = `_xsrf=${getCookie("_xsrf")}`; //Tornado XSRF Protection. $.ajaxPrefilter(function (options) { @@ -101,4 +101,16 @@ $(document).ajaxError(function (event, jqXHR, ajaxSettings, thrownError) { console.error(thrownError, message, arguments); actions.EventLogActions.add_event(thrownError + ": " + message); alert(message); -}); \ No newline at end of file +}); + +export function fetchApi(url, options) { + if(url.indexOf("?") === -1){ + url += "?" + xsrf; + } else { + url += "&" + xsrf; + } + return fetch(url, { + ...options, + credentials: 'same-origin' + }); +} \ No newline at end of file