[fix] csrf for open_url_post

frappe/auth.py

@@ -61,7 +61,12 @@ class HTTPRequest:
 				# not via boot
 				return
 
-			if frappe.local.session.data.csrf_token != frappe.get_request_header("X-Frappe-CSRF-Token"):
+			csrf_token = frappe.get_request_header("X-Frappe-CSRF-Token")
+			if not csrf_token and "csrf_token" in frappe.local.form_dict:
+				csrf_token = frappe.local.form_dict.csrf_token
+				del frappe.local.form_dict["csrf_token"]
+
+			if frappe.local.session.data.csrf_token != csrf_token:
 				frappe.local.flags.disable_traceback = True
 				frappe.throw(_("Invalid Request"), frappe.CSRFTokenError)
 

frappe/public/js/legacy/handler.js

@@ -86,6 +86,7 @@ function open_url_post(URL, PARAMS, new_window) {
 	if(new_window){
 		temp.target = '_blank';
 	}
+	PARAMS["csrf_token"] = frappe.csrf_token;
 	for(var x in PARAMS) {
 		var opt=document.createElement("textarea");
 		opt.name=x;