Add cms.enableXsrfCookies config value (default true) to configure whether or not the XSRF cookie is automatically sent or if CSRF tokens are solely relied on.

Related: https://github.com/octobercms/october/pull/4701#issuecomment-547773385 & https://github.com/laravel/framework/pull/24726

config/cms.php

@@ -374,13 +374,26 @@ return [
     | Cross Site Request Forgery (CSRF) Protection
     |--------------------------------------------------------------------------
     |
-    | If the CSRF protection is enabled, all "postback" requests are checked
-    | for a valid security token.
+    | If the CSRF protection is enabled, all "postback" & AJAX requests are
+    | checked for a valid security token.
     |
     */
 
     'enableCsrfProtection' => true,
 
+    /*
+    |--------------------------------------------------------------------------
+    | Automatic XSRF Cookies
+    |--------------------------------------------------------------------------
+    |
+    | Automatically provide and process an XSRF cookie to the browser to
+    | support CSRF protection on all AJAX requests without having to add
+    | an explicit CSRF token to the frontend markup
+    |
+    */
+
+    'enableXsrfCookies' => true,
+
     /*
     |--------------------------------------------------------------------------
     | Force bytecode invalidation

modules/cms/classes/Controller.php

@@ -29,6 +29,7 @@ use October\Rain\Exception\ValidationException;
 use October\Rain\Parse\Bracket as TextParser;
 use Symfony\Component\HttpFoundation\Cookie;
 use Illuminate\Http\RedirectResponse;
+use Symfony\Component\HttpFoundation\Response as BaseResponse;
 
 /**
  * The CMS controller class.
@@ -136,16 +137,21 @@ class Controller
      * Finds and serves the requested page.
      * If the page cannot be found, returns the page with the URL /404.
      * If the /404 page doesn't exist, returns the system 404 page.
-     * * If the parameter is omitted, the current URL used.
+     * If the parameter is null, the current URL used. If it is not
+     * provided then '/' is used
      *
-     * @param string $url Specifies the requested page URL.
-     * @return Response Returns the processed page content.
+     * @param string|null $url Specifies the requested page URL.
+     * @return BaseResponse Returns the response to the provided URL
      */
     public function run($url = '/')
     {
         $response = $this->runInternal($url);
 
-        if (Config::get('cms.enableCsrfProtection') && $response instanceof \Symfony\Component\HttpFoundation\Response) {
+        if (
+            Config::get('cms.enableCsrfProtection', true) &&
+            Config::get('cms.enableXsrfCookies', true) &&
+            $response instanceof BaseResponse
+        ) {
             $this->addXsrfCookie($response);
         }
 
@@ -156,7 +162,7 @@ class Controller
      * Process the request internally
      *
      * @param string $url Specifies the requested page URL.
-     * @return Response Returns the processed page content.
+     * @return BaseResponse Returns the response to the provided URL
      */
     protected function runInternal($url = '/')
     {
@@ -1607,9 +1613,11 @@ class Controller
     /**
      * Adds anti-CSRF cookie.
      * Adds a cookie with a token for CSRF checks to the response.
-     * @return Response
+     *
+     * @param BaseResponse $response The response object to add the cookie to
+     * @return BaseResponse
      */
-    protected function addXsrfCookie(\Symfony\Component\HttpFoundation\Response $response)
+    protected function addXsrfCookie(BaseResponse $response)
     {
         $config = Config::get('session');
 
@@ -1638,7 +1646,7 @@ class Controller
      */
     protected function verifyCsrfToken()
     {
-        if (!Config::get('cms.enableCsrfProtection')) {
+        if (!Config::get('cms.enableCsrfProtection', true)) {
             return true;
         }