update chat-demo to use an anti-forgery token to demo how to set it up

chat-demo/resources/html/index.html

@@ -3,6 +3,11 @@
   <head>
     <meta charset="UTF-8"/>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+    <!-- include CSRF token that ring's anti-forgery middleware is expecting.
+         clj-browserchannel's client-side init will pick this meta tag up
+         automatically and include the token in all of browserchannel's
+         requests to the server. -->
+    <meta name="anti-forgery-token" content="{{ csrfToken }}">
     <title>BrowserChannel</title>
     <!-- Le HTML5 shim, for IE6-8 support of HTML elements -->
     <!--[if lt IE 9]>

chat-demo/src/chat_demo/server.clj

@@ -5,6 +5,7 @@
     [compojure.route :as route]
     [ring.middleware.defaults :refer [wrap-defaults site-defaults]]
     [ring.util.response :refer [response]]
+    [ring.middleware.anti-forgery :refer [*anti-forgery-token*]]
     [clj-pebble.core :as pebble]
     [net.thegeez.browserchannel.server :as browserchannel]
     [net.thegeez.browserchannel.jetty-async-adapter :as jetty]
@@ -40,14 +41,17 @@
 
 (def app-routes
   (routes
-    (GET "/" [] (pebble/render-resource "html/index.html" {:dev (boolean (env :dev))}))
+    (GET "/" [] (pebble/render-resource
+                  "html/index.html"
+                  {:dev       (boolean (env :dev))
+                   :csrfToken *anti-forgery-token*}))
     (route/resources "/")
     (route/not-found "not found")))
 
 (def handler
   (-> app-routes
       (browserchannel/wrap-browserchannel {:base "/channel" :on-session on-browserchannel-session})
-      (wrap-defaults (assoc-in site-defaults [:security :anti-forgery] false))))
+      (wrap-defaults site-defaults)))
 
 (defn run-jetty []
   (println "Using Jetty adapter")