Add xsrf token header if cookie is present (#11034)

Fixes #9471

client/src/main/java/com/vaadin/client/communication/Heartbeat.java

@@ -90,6 +90,8 @@ public void send() {
 
         final RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, uri);
 
+        XhrConnection.addXsrfHeaderFromCookie(rb);
+
         final RequestCallback callback = new RequestCallback() {
 
             @Override

client/src/main/java/com/vaadin/client/communication/XhrConnection.java

@@ -22,6 +22,7 @@
 import com.google.gwt.http.client.RequestCallback;
 import com.google.gwt.http.client.RequestException;
 import com.google.gwt.http.client.Response;
+import com.google.gwt.user.client.Cookies;
 import com.google.gwt.user.client.Timer;
 import com.google.gwt.user.client.Window;
 import com.google.gwt.user.client.Window.ClosingEvent;
@@ -51,6 +52,9 @@
  */
 public class XhrConnection {
 
+    private static final String XSRF_HEADER_NAME = "X-XSRF-TOKEN";
+    private static final String XSRF_COOKIE_NAME = "XSRF-TOKEN";
+
     private ApplicationConnection connection;
 
     /**
@@ -189,6 +193,9 @@ private void setRequestStartTime(double requestStartTime) {
      */
     public void send(JsonObject payload) {
         RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, getUri());
+
+        addXsrfHeaderFromCookie(rb);
+
         // TODO enable timeout
         // rb.setTimeoutMillis(timeoutMillis);
         // TODO this should be configurable
@@ -250,6 +257,13 @@ private MessageHandler getMessageHandler() {
         return connection.getMessageHandler();
     }
 
+    public static void addXsrfHeaderFromCookie(RequestBuilder rb) {
+        String xsrfTokenVal = Cookies.getCookie(XSRF_COOKIE_NAME);
+        if (xsrfTokenVal != null && !xsrfTokenVal.isEmpty()) {
+            rb.setHeader(XSRF_HEADER_NAME, xsrfTokenVal);
+        }
+    }
+
     private static native boolean resendRequest(Request request)
     /*-{
         var xhr = request.@com.google.gwt.http.client.Request::xmlHttpRequest