From 73e494770fe83b41f879d6f068f15c3056c943cf Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Thu, 2 Jun 2016 10:34:16 -0700
Subject: [PATCH] web: add fetchApi convenience method

---
 mitmproxy/web/__init__.py |  3 ---
 mitmproxy/web/app.py      |  2 +-
 web/src/js/actions.js     |  7 ++-----
 web/src/js/utils.js       | 18 +++++++++++++++---
 4 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/mitmproxy/web/__init__.py b/mitmproxy/web/__init__.py
index 357718f15..80a658863 100644
--- a/mitmproxy/web/__init__.py
+++ b/mitmproxy/web/__init__.py
@@ -87,9 +87,6 @@ class WebState(flow.State):
             data=[]
         )
 
-    def load_flows(self, flows):
-        super(WebState, self).load_flows(flows)
-
 
 class Options(object):
     attributes = [
diff --git a/mitmproxy/web/app.py b/mitmproxy/web/app.py
index 50ee894b9..af2f6e8c4 100644
--- a/mitmproxy/web/app.py
+++ b/mitmproxy/web/app.py
@@ -390,7 +390,7 @@ class Application(tornado.web.Application):
         settings = dict(
             template_path=os.path.join(os.path.dirname(__file__), "templates"),
             static_path=os.path.join(os.path.dirname(__file__), "static"),
-            xsrf_cookies=False,
+            xsrf_cookies=True,
             cookie_secret=os.urandom(256),
             debug=debug,
             wauthenticator=wauthenticator,
diff --git a/web/src/js/actions.js b/web/src/js/actions.js
index 5c6f0167b..9325765b1 100644
--- a/web/src/js/actions.js
+++ b/web/src/js/actions.js
@@ -1,7 +1,6 @@
 import $ from "jquery";
-import _ from "lodash";
 import {AppDispatcher} from "./dispatcher.js";
-import {getCookie} from "./utils.js";
+import {fetchApi} from "./utils.js";
 
 export var ActionTypes = {
     // Connection
@@ -122,12 +121,10 @@ export var FlowActions = {
     download: () => window.location = "/flows/dump",
 
     upload: (file) => {
-        var xsrf = $.param({_xsrf: getCookie("_xsrf")});
-        //console.log(xsrf);
         var filereader = new FileReader();
         filereader.file = file;
         filereader.onload = (e) => {
-            fetch("/flows/dump?"+xsrf,  {
+            fetchApi("/flows/dump",  {
                 method: 'post',
                 body: e.currentTarget.result
             })
diff --git a/web/src/js/utils.js b/web/src/js/utils.js
index 454bfe226..97737b201 100644
--- a/web/src/js/utils.js
+++ b/web/src/js/utils.js
@@ -76,11 +76,11 @@ export function reverseString(s) {
         ) + end;
 }
 
-export function getCookie(name) {
+function getCookie(name) {
     var r = document.cookie.match(new RegExp("\\b" + name + "=([^;]*)\\b"));
     return r ? r[1] : undefined;
 }
-var xsrf = $.param({_xsrf: getCookie("_xsrf")});
+const xsrf = `_xsrf=${getCookie("_xsrf")}`;
 
 //Tornado XSRF Protection.
 $.ajaxPrefilter(function (options) {
@@ -101,4 +101,16 @@ $(document).ajaxError(function (event, jqXHR, ajaxSettings, thrownError) {
     console.error(thrownError, message, arguments);
     actions.EventLogActions.add_event(thrownError + ": " + message);
     alert(message);
-});
\ No newline at end of file
+});
+
+export function fetchApi(url, options) {
+    if(url.indexOf("?") === -1){
+        url += "?" + xsrf;
+    } else {
+        url += "&" + xsrf;
+    }
+    return fetch(url, {
+        ...options,
+        credentials: 'same-origin'
+    });
+}
\ No newline at end of file