CSRF token sometimes invalid until refresh

[leth]

I just visited https://cloud.weave.works/ and POSTs to /api/metrics were failing with HTTP400 due to CSRF token validation.

A refresh fixed it, but is obviously non-ideal.

[leth]

My hunch is that this is a client-side issue around redirect handling.
I sometimes see something similar when running a local UI against a local minikube deployment.

I've looked into the CSRF handling a little for the UI development proxy; I'm not sure if this is the issue, but it might be a good place to start:
The nosurf request handler contains logic to issue an updated csrf token + cookie pair if needed.

Currently AFAIK the token is embedded in the HTML page, and then used in the client-side code.
If a new pair is issued for a non-html request; the cookie will be sent in the headers, but the token will be sent nowhere.
The browser will pick up the new cookie, but not the new token, leading to a mismatch.

[leth]

We should monitor CSRF errors

[awh]

https://github.com/weaveworks/service-ui/issues/883

[jml]

Also, the user-visible failure mode can be "This looks like it worked, but when you go to a different page and go back, your edits actually had no effect. Psych!"

[dlespiau]

We haven't seen this issue for 11 days after #1380, closing. Do re-open if needed.