transport of token moved to headers for XHR post

On js side, token is added to request header in case of POST request.
On server side - POST request, it looks for data in header, if failed
then looks for data in post payload.

Author: mebjas

js/csrfprotector.js

@@ -289,55 +289,18 @@ function csrfprotector_init() {
 	 */
 	function new_send(data) {
 		if (this.method.toLowerCase() === 'post') {
-			if (data !== null && typeof data === 'object') {
-				data[CSRFP.CSRFP_TOKEN] = CSRFP._getAuthKey();
-			} else {
-				// Added support for content type == application / json
-				if (this.headers && 'Content-Type' in this.headers
-					&& this.headers['Content-Type'] === 'application/json') {
-					try {
-						data = JSON.parse(data)
-						data[CSRFP.CSRFP_TOKEN] = CSRFP._getAuthKey();
-						return this.old_send(JSON.stringify(data));
-						
-					} catch (ex) {
-						console.log("[ERROR] [CSRF Protector] Unable to parse content ",
-							"when content-type is application/json", ex);
-					}
-				}
-
-				if (typeof data != "undefined") {
-					data += "&";
-				} else {
-					data = "";
-				}
-				data += CSRFP.CSRFP_TOKEN +"=" +CSRFP._getAuthKey();
-			}
+			// attach the token in request header
+			this.setRequestHeader(CSRFP.CSRFP_TOKEN, CSRFP._getAuthKey());
 		}
 		return this.old_send(data);
 	}
 
-	/**
-	 * Wrapper method to override setRequestHeader method of
-	 * XMLHttpRequests
-	 * @param: header - header name
-	 * @param: value - header value
-	 */
-	function new_setRequestHeader(header, value) {
-		if (!this.headers) this.headers = {};
-		this.headers[header] = value;
-
-		this.old_setRequestHeader(header, value);
-	}
-
 	if (window.XMLHttpRequest) {
 		// Wrapping
 		XMLHttpRequest.prototype.old_send = XMLHttpRequest.prototype.send;
 		XMLHttpRequest.prototype.old_open = XMLHttpRequest.prototype.open;
-		XMLHttpRequest.prototype.old_setRequestHeader = XMLHttpRequest.prototype.setRequestHeader;
 		XMLHttpRequest.prototype.open = new_open;
 		XMLHttpRequest.prototype.send = new_send;
-		XMLHttpRequest.prototype.setRequestHeader = new_setRequestHeader;
 	}
 	if (typeof ActiveXObject !== 'undefined') {
 		ActiveXObject.prototype.old_send = ActiveXObject.prototype.send;

libs/csrf/csrfprotector.php

@@ -1,5 +1,4 @@
 <?php
-
 if (!defined('__CSRF_PROTECTOR__')) {
 	define('__CSRF_PROTECTOR__', true); 	// to avoid multiple declaration errors
 
@@ -159,6 +158,8 @@ public static function init($length = null, $action = null)
 				}
 			}
 
+			// TODO: initialize the setcookie params, based on config;
+
 			// Authorise the incoming request
 			self::authorizePost();
 
@@ -200,22 +201,12 @@ public static function authorizePost()
 				//set request type to POST
 				self::$requestType = "POST";
 
-				$token = (isset($_POST[self::$config['CSRFP_TOKEN']]))
-					? $_POST[self::$config['CSRFP_TOKEN']] : false;
-
-				if ($_SERVER["CONTENT_TYPE"] === self::JSONCONTENTTYPE) {
-					try {
-						$request_body = file_get_contents('php://input');
-						$request_body = json_decode($request_body, true);
-						if (isset($request_body[self::$config['CSRFP_TOKEN']])) {
-							$token = $request_body[self::$config['CSRFP_TOKEN']];
-						}
-					} catch (Exception $ex) {
-						// silently absorb this exception
-						// it could be because IO is blocked or json decode fails
-						// either way log it or add some handleing
-						// TODO ^^
-					}
+				// look for token in header, then in payload
+				$token = false;
+				if (isset(apache_request_headers()[self::$config['CSRFP_TOKEN']])) {
+					$token = apache_request_headers()[self::$config['CSRFP_TOKEN']];
+				} else if (isset($_POST[self::$config['CSRFP_TOKEN']])) {
+					$token = $_POST[self::$config['CSRFP_TOKEN']];
 				}
 
 				//currently for same origin only
@@ -353,6 +344,7 @@ public static function refreshToken()
 			array_push($_SESSION[self::$config['CSRFP_TOKEN']], $token);
 
 			//set token to cookie for client side processing
+			// TODO: all the params must be loaded from config
 			setcookie(self::$config['CSRFP_TOKEN'], 
 				$token, 
 				time() + self::$cookieExpiryTime,