Merge branch 'master' of https://github.com/pixelated/pixelated-user-agent

# By Felix Hammerl (5) and others
# Via NavaL
* 'master' of https://github.com/pixelated/pixelated-user-agent:
  serving the client directly, as the current dependency on proxy strips out xsrf cookies -fixing functional test
  only adding feature resource in root_resource test -- fixing build
  changed logout to post Issue #612
  Backend and frontend protection against csrf attacks: - root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login - it will also add that cookie on single user mode - initialize will still load all resources - but they you cant access them if the csrf token do not match - all ajax calls needs to add the token to the header - non ajax get requests do not need xsrf token validation - non ajax post will have to send the token in as a form input or in the content
  Consolidate stylesheets
  Remove unused font and stylesheetgit s
  Create a new deferred for all IMAPAccount calls
  Clean up jshintrc
  Recreate session on soledad problems
  issue #617: Remove old html whitelister
  Issue #617: Sanitize received content

2 files changed, 16 insertions, 3 deletions

diff --git a/web-ui/app/js/page/default.js b/web-ui/app/js/page/default.js
index e33ec723..19b28354 100644
--- a/web-ui/app/js/page/default.js
+++ b/web-ui/app/js/page/default.js
@@ -51,6 +51,7 @@ define(
     'mail_view/data/feedback_sender',
     'page/version',
     'page/unread_count_title',
+    'helpers/browser'
   ],
 
   function (
@@ -88,7 +89,8 @@ define(
     feedbackBox,
     feedbackSender,
     version,
-    unreadCountTitle) {
+    unreadCountTitle,
+    browser) {
 
     'use strict';
     function initialize(path) {
@@ -129,6 +131,8 @@ define(
       feedbackSender.attachTo(document);
 
       unreadCountTitle.attachTo(document);
+
+      $.ajaxSetup({headers: {'X-XSRF-TOKEN': browser.getCookie('XSRF-TOKEN')}});
     }
 
     return initialize;
diff --git a/web-ui/app/js/page/logout.js b/web-ui/app/js/page/logout.js
index d881f6c2..81b57db2 100644
--- a/web-ui/app/js/page/logout.js
+++ b/web-ui/app/js/page/logout.js
@@ -14,19 +14,28 @@
  * You should have received a copy of the GNU Affero General Public License
  * along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
  */
-define(['flight/lib/component', 'features', 'views/templates'], function (defineComponent, features, templates) {
+define(['flight/lib/component', 'features', 'views/templates', 'helpers/browser'],
+ function (defineComponent, features, templates, browser) {
   'use strict';
 
   return defineComponent(function () {
 
+    this.defaultAttrs({form: '#logout-form'});
+
     this.render = function () {
-      var logoutHTML = templates.page.logout({ logout_url: features.getLogoutUrl() });
+      var logoutHTML = templates.page.logout({ logout_url: features.getLogoutUrl(),
+       csrf_token: browser.getCookie('XSRF-TOKEN')});
       this.$node.html(logoutHTML);
     };
 
+    this.logout = function(){
+      this.select('form').submit();
+    };
+
     this.after('initialize', function () {
       if (features.isLogoutEnabled()) {
 	      this.render();
+	      this.on(this.$node, 'click', this.logout);
       }
     });