Require xsrf/csrf when using a password (#6396)

esphome/dashboard/web_server.py

@@ -688,6 +688,11 @@ class MainRequestHandler(BaseHandler):
     @authenticated
     def get(self) -> None:
         begin = bool(self.get_argument("begin", False))
+        if settings.using_password:
+            # Simply accessing the xsrf_token sets the cookie for us
+            self.xsrf_token  # pylint: disable=pointless-statement
+        else:
+            self.clear_cookie("_xsrf")
 
         self.render(
             "index.template.html",
@@ -1102,6 +1107,7 @@ def get_cache_time(
         "log_function": log_function,
         "websocket_ping_interval": 30.0,
         "template_path": get_base_frontend_path(),
+        "xsrf_cookies": settings.using_password,
     }
     rel = settings.relative_url
     return tornado.web.Application(

requirements.txt

@@ -12,7 +12,7 @@ pyserial==3.5
 platformio==6.1.13  # When updating platformio, also update Dockerfile
 esptool==4.7.0
 click==8.1.7
-esphome-dashboard==20231107.0
+esphome-dashboard==20240319.0
 aioesphomeapi==23.1.1
 zeroconf==0.131.0
 python-magic==0.4.27