From 8da798a5cd2f5f640719550eebebc03e9a9d29d1 Mon Sep 17 00:00:00 2001
From: Samuel Georges <sam@daftspunk.com>
Date: Mon, 4 Nov 2019 09:06:05 +1100
Subject: [PATCH] Remove XSRF cookie

This was a contentious change is generally a bad idea to blanket all requests with a dependant cookie. We will try something else.

Revert enableXsrfCookies setting. Fixes UX issue introduced where the token expires. This should be replaced by a CSRF policy that determines whether this is needed on the front end.
---
 config/cms.php                         | 13 -------------
 modules/backend/classes/Controller.php |  7 -------
 modules/cms/classes/Controller.php     | 12 ++++--------
 3 files changed, 4 insertions(+), 28 deletions(-)

diff --git a/config/cms.php b/config/cms.php
index 5c885e220..acb98db9a 100644
--- a/config/cms.php
+++ b/config/cms.php
@@ -381,19 +381,6 @@ return [
 
     'enableCsrfProtection' => true,
 
-    /*
-    |--------------------------------------------------------------------------
-    | Automatic XSRF Cookies
-    |--------------------------------------------------------------------------
-    |
-    | Automatically provide and process an XSRF cookie to the browser to
-    | support CSRF protection on all AJAX requests without having to add
-    | an explicit CSRF token to the frontend markup
-    |
-    */
-
-    'enableXsrfCookies' => true,
-
     /*
     |--------------------------------------------------------------------------
     | Force bytecode invalidation
diff --git a/modules/backend/classes/Controller.php b/modules/backend/classes/Controller.php
index a80b5b4dd..ff6177320 100644
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@@ -174,13 +174,6 @@ class Controller extends Extendable
             return Response::make(Lang::get('system::lang.page.invalid_token.label'), 403);
         }
 
-        if (
-            Config::get('cms.enableCsrfProtection', true) &&
-            Config::get('cms.enableXsrfCookies', true)
-        ) {
-            $this->setResponseCookie($this->makeXsrfCookie());
-        }
-
         /*
          * Check forced HTTPS protocol.
          * @see \System\Traits\SecurityController
diff --git a/modules/cms/classes/Controller.php b/modules/cms/classes/Controller.php
index 9c1e05b11..777a89147 100644
--- a/modules/cms/classes/Controller.php
+++ b/modules/cms/classes/Controller.php
@@ -148,19 +148,15 @@ class Controller
 
         /*
          * Check security token.
+         *
+         * Note: Ignore AJAX requests until a CSRF policy introduced.
+         *
          * @see \System\Traits\SecurityController
          */
-        if (!$this->verifyCsrfToken()) {
+        if (!Request::ajax() && !$this->verifyCsrfToken()) {
             return Response::make(Lang::get('system::lang.page.invalid_token.label'), 403);
         }
 
-        if (
-            Config::get('cms.enableCsrfProtection', true) &&
-            Config::get('cms.enableXsrfCookies', true)
-        ) {
-            $this->setResponseCookie($this->makeXsrfCookie());
-        }
-
         /*
          * Hidden page
          */