From 8a560e3a37bf2c32fb771ad9e49daf1439bc0a73 Mon Sep 17 00:00:00 2001
From: Bastian Allgeier <mail@bastianallgeier.com>
Date: Thu, 1 Jul 2021 09:35:45 +0200
Subject: [PATCH] Send the CSRF token in Fiber requests

---
 panel/src/config/fiber.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/panel/src/config/fiber.js b/panel/src/config/fiber.js
index a842dc6daf..3ab21e021a 100644
--- a/panel/src/config/fiber.js
+++ b/panel/src/config/fiber.js
@@ -32,6 +32,7 @@ import { toJson } from "../api/request.js";
 
 const Fiber = {
   base: null,
+  csrf: null,
   page: null,
   swap: null,
 
@@ -40,11 +41,13 @@ const Fiber = {
    *
    * @param {object} options
    */
-  init({ page, swap, base }) {
+  init({ csrf, page, swap, base }) {
 
     // set the base URL for all requests
     this.base = base || document.querySelector("base").href;
 
+    this.csrf = csrf;
+
     // callback function which handles
     // swapping components
     this.swap = swap;
@@ -278,7 +281,10 @@ const Fiber = {
       const response = await fetch(url, {
         method: options.method,
         body: this.body(options.body),
+        credentials: "same-origin",
+        cache: "no-store",
         headers: {
+          "X-CSRF": this.csrf,
           "X-Fiber": true,
           "X-Fiber-Referrer": this.page.$view.path,
           ...options.headers,
@@ -479,6 +485,7 @@ export const component = {
   created() {
     Fiber.init({
       page: window.fiber,
+      csrf: window.fiber.$system.csrf,
       swap: async ({ component, page, preserveState }) => {
         this.component = component;
         this.page = page;