diff --git a/mitmproxy/web/app.py b/mitmproxy/web/app.py
index 43949cc76..50ee894b9 100644
--- a/mitmproxy/web/app.py
+++ b/mitmproxy/web/app.py
@@ -8,7 +8,7 @@ import re
 
 import six
 import tornado.websocket
-from six.moves import cStringIO as StringIO
+from io import BytesIO
 from mitmproxy.flow import FlowWriter, FlowReader
 
 from mitmproxy import filt
@@ -163,25 +163,22 @@ class Flows(RequestHandler):
 
 class DumpFlows(RequestHandler):
     def get(self):
-        self.set_header("Content-Description", "File Transfer")
-        self.set_header("Cache-Control", "no-cache, no-store, must-revalidate")
         self.set_header("Content-Disposition", "attachment; filename=flows")
         self.set_header("Content-Type", "application/octet-stream")
-        self.set_header("Content-Transfer-Encoding", "binary")
 
-        sio = StringIO()
-        fw = FlowWriter(sio)
+        bio = BytesIO()
+        fw = FlowWriter(bio)
         for f in self.state.flows:
             fw.add(f)
-        self.write(sio.getvalue())
+        self.write(bio.getvalue())
 
-        sio.close()
+        bio.close()
 
     def post(self):
-        # self.state.clear()
-        sio = StringIO(self.request.body)
-        self.state.load_flows(FlowReader(sio).stream())
-        sio.close()
+        self.state.clear()
+        bio = BytesIO(self.request.body)
+        self.state.load_flows(FlowReader(bio).stream())
+        bio.close()
 
 class ClearAll(RequestHandler):
 
@@ -393,7 +390,7 @@ class Application(tornado.web.Application):
         settings = dict(
             template_path=os.path.join(os.path.dirname(__file__), "templates"),
             static_path=os.path.join(os.path.dirname(__file__), "static"),
-            xsrf_cookies=True,
+            xsrf_cookies=False,
             cookie_secret=os.urandom(256),
             debug=debug,
             wauthenticator=wauthenticator,
diff --git a/web/src/js/actions.js b/web/src/js/actions.js
index 2f2479799..5c6f0167b 100644
--- a/web/src/js/actions.js
+++ b/web/src/js/actions.js
@@ -1,6 +1,7 @@
 import $ from "jquery";
 import _ from "lodash";
 import {AppDispatcher} from "./dispatcher.js";
+import {getCookie} from "./utils.js";
 
 export var ActionTypes = {
     // Connection
@@ -119,10 +120,18 @@ export var FlowActions = {
         $.post("/clear");
     },
     download: () => window.location = "/flows/dump",
+
     upload: (file) => {
+        var xsrf = $.param({_xsrf: getCookie("_xsrf")});
+        //console.log(xsrf);
         var filereader = new FileReader();
         filereader.file = file;
-        filereader.onload = (e) => {$.post("/flows/dump", e.target.result); e.preventDefault();};
+        filereader.onload = (e) => {
+            fetch("/flows/dump?"+xsrf,  {
+                method: 'post',
+                body: e.currentTarget.result
+            })
+        };
         filereader.readAsBinaryString(file);
     }
 };
diff --git a/web/src/js/components/header.js b/web/src/js/components/header.js
index 859f2fcf0..adc8bb9b2 100644
--- a/web/src/js/components/header.js
+++ b/web/src/js/components/header.js
@@ -344,13 +344,13 @@ var FileMenu = React.createClass({
         }
     },
     handleOpenClick: function (e) {
-        $('#uploadFileInput').trigger('click');
+        this.fileInput.click();
         e.preventDefault();
     },
     handleOpenFile: function (e) {
         if (e.target.files.length > 0) {
             FlowActions.upload(e.target.files[0]);
-            $('#uploadFileInput').val("");
+            this.fileInput.value = "";
         }
         e.preventDefault();
     },
@@ -380,7 +380,7 @@ var FileMenu = React.createClass({
                          <i className="fa fa-fw fa-folder-open"></i>
                             Open...
                         </a>
-                         <input id="uploadFileInput" className="hidden" type="file" onChange={this.handleOpenFile}/>
+                         <input ref={(ref) => this.fileInput = ref}  className="hidden" type="file" onChange={this.handleOpenFile}/>
 
                     </li>
                     <li>
diff --git a/web/src/js/store/store.js b/web/src/js/store/store.js
index 4c4478d9d..a16a0369c 100644
--- a/web/src/js/store/store.js
+++ b/web/src/js/store/store.js
@@ -2,7 +2,7 @@
 import _ from "lodash";
 import $ from "jquery";
 import {EventEmitter} from 'events';
-
+import { EventLogActions } from "../actions.js"
 import {ActionTypes, StoreCmds} from "../actions.js";
 import {AppDispatcher} from "../dispatcher.js";
 
@@ -118,8 +118,7 @@ _.extend(LiveStoreMixin.prototype, {
                     this.handle_fetch(message.data);
                 }.bind(this))
                 .fail(function () {
-                    //EventLogActions.add_event("Could not fetch " + this.type);
-                    console.log("Could not fetch " + this.type); // store.js:121 Uncaught ReferenceError: EventLogActions is not defined
+                    EventLogActions.add_event("Could not fetch " + this.type);
                 }.bind(this));
         }
     },
diff --git a/web/src/js/utils.js b/web/src/js/utils.js
index 2627cf586..454bfe226 100644
--- a/web/src/js/utils.js
+++ b/web/src/js/utils.js
@@ -76,7 +76,7 @@ export function reverseString(s) {
         ) + end;
 }
 
-function getCookie(name) {
+export function getCookie(name) {
     var r = document.cookie.match(new RegExp("\\b" + name + "=([^;]*)\\b"));
     return r ? r[1] : undefined;
 }