Include CSRF <meta> elements in frame layout

[seanpdoyle]

Closes #669

If a response to a request with the Turbo-Frame: header does not include the <meta> elements in the <html> document, it's likely that the browser will remove any <meta> element present after handling navigating the <turbo-frame> that originated the request.

In support of testing this behavior, this commit enables CSRF protection in the test suite.

[seanpdoyle]

This is a more conservative, less disruptive alternative to #534.

While this might resolve any CSRF-related inconsistencies in the <head>, it is still an incomplete solution. For example, it does not include CSP <meta> elements, PWA <meta> elements, or any other <head> elements that new Rails applications are generated with by default.

While #534 might feel too ambitious of a proposal, it circumvents this entire class of issue, and removes any burden of responsibility to decide which <head> elements are worth including by default.

[ramhoj]

Regarding the failing Rails 7.1 tests, I had the same issue in another branch and submitted #696 to address them.

[seanpdoyle]

@jorgemanrubia @brunoprietog are either of you experiencing this issue in your applications?

[jorgemanrubia]

I don't manage to reproduce this one. In the way turbo works, for turbo-frame requests Turbo won't do any head processing. Why would it remove CSRF tokens from the header? I'll ask for a reproduction case in the original issue.

[sfnelson]

@jorgemanrubia in our experience of this issue, we're including turbo-tracked elements in our frame, i.e.

<% content_for(:head) do %>
  <%= stylesheet_link_tag :app, "data-turbo-track": "reload" %>
  <%= javascript_importmap_tags %>
<% end %>

We're also using data-turbo-action="advance". Sorry for not including this context in the original report.

https://github.com/katalyst/turbo-frames-669

[jorgemanrubia]

thanks @sfnelson, that was a bit I was missing. @seanpdoyle could you verify your patch fixes this scenario, now we should be able to reproduce?

[sfnelson]

@jorgemanrubia we've been using @seanpdoyle's patch in production since November when we identified the issue. This solution isn't perfect as @seanpdoyle pointed out – it brute force solves CSRF but removes all other meta tags.

We don't want to send all the turbo tracked elements in our frame heads, but if we don't then performing a frame advance visit triggers #580 which leaves turbo in an inconsistent state where navigation pop no longer works.

I think there's a wider discussion to be had about how turbo frame advance visits work, as the status quo is very challenging to navigate successfully. Our ideal outcome is being able to push a navigation from the server that changes the URL and participates in browser history, but doesn't change the background DOM, similar to a hotwire native modal visit.

We'd be happy to contribute time and resources to if this is something that is on the hotwire/turbo team's radar.

[jorgemanrubia]

Thanks for the clarifications @sfnelson. I'll merge this one. Maybe a more general solution is what @seanpdoyle proposed in #534 (thanks @brunoprietog for pointing that out). But, for now, let's fix this one.