Merge branch '4.9' of https://github.com/craftcms/cms into 5.1

# Conflicts:
#	CHANGELOG-WIP.md

CHANGELOG-WIP.md

@@ -6,6 +6,7 @@
 - Table views within element index pages are now scrolled directly, so that their horizontal scrollbars are always visible without scrolling to the bottom of the page. ([#14765](https://github.com/craftcms/cms/issues/14765))
 
 ### Administration
+- Added the `asyncCsrfInputs` config setting. ([#14625](https://github.com/craftcms/cms/pull/14625))
 - `resave` commands now support an `--if-invalid` option. ([#14731](https://github.com/craftcms/cms/issues/14731))
 
 ### Extensibility
@@ -15,3 +16,6 @@
 - Added `craft\web\Request::getBearerToken()`. ([#14784](https://github.com/craftcms/cms/pull/14784))
 - `craft\base\NameTrait::prepareNamesForSave()` no longer updates the name properties if `fullName`, `firstName`, and `lastName` are already set. ([#14665](https://github.com/craftcms/cms/issues/14665))
 - Added `Craft.MatrixInput.Entry`. ([#14730](https://github.com/craftcms/cms/pull/14730))
+
+### System
+- Batched queue jobs now set their progress based on the total progress across all batches, rather than just the current batch. ([#14817](https://github.com/craftcms/cms/pull/14817))

src/config/GeneralConfig.php

@@ -1014,6 +1014,24 @@ class GeneralConfig extends BaseConfig
      */
     public bool $disableGraphqlTransformDirective = false;
 
+
+    /**
+     * @var bool Whether CSRF values should be injected via JavaScript for greater cache-ability.
+     *
+     *  ::: code
+     *  ```php Static Config
+     *  ->asyncCsrfInputs(true)
+     *  ```
+     *  ```shell Environment Override
+     *  CRAFT_ASYNC_CSRF_INPUTS=1
+     *  ```
+     *  :::
+     *
+     * @group Security
+     * @since 4.9.0
+     */
+    public bool $asyncCsrfInputs = false;
+
     /**
      * @var bool Whether front-end web requests should support basic HTTP authentication.
      *
@@ -4268,6 +4286,24 @@ public function disableGraphqlTransformDirective(bool $value = true): self
         return $this;
     }
 
+    /**
+     * Whether CSRF values should be injected via JavaScript for greater cache-ability.
+     *
+     *  ```php
+     *  ->asyncCsrfInputs(true)
+     *  ```
+     *
+     * @param bool $value
+     * @return self
+     * @see $asyncCsrfInputs
+     * @since 4.9.0
+     */
+    public function asyncCsrfInputs(bool $value = true): self
+    {
+        $this->asyncCsrfInputs = $value;
+        return $this;
+    }
+
     /**
      * Whether front-end web requests should support basic HTTP authentication.
      *

src/helpers/Html.php

@@ -11,6 +11,7 @@
 use craft\elements\Asset;
 use craft\errors\InvalidHtmlTagException;
 use craft\image\SvgAllowedAttributes;
+use craft\web\View;
 use enshrined\svgSanitize\Sanitizer;
 use Throwable;
 use yii\base\Exception;
@@ -96,7 +97,24 @@ public static function encodeSpaces(string $str): string
     public static function csrfInput(array $options = []): string
     {
         $request = Craft::$app->getRequest();
-        return static::hiddenInput($request->csrfParam, $request->getCsrfToken(), $options);
+        $async = (bool)(ArrayHelper::remove($options, 'async') ?? Craft::$app->getConfig()->getGeneral()->asyncCsrfInputs);
+
+        if (!$async) {
+            Craft::$app->getResponse()->setNoCacheHeaders();
+            return static::hiddenInput($request->csrfParam, $request->getCsrfToken(), $options);
+        }
+
+        Craft::$app->getView()->registerHtml(
+            Craft::$app->getView()->renderTemplate(
+                '_special/async-csrf-input',
+                [
+                    'url' => UrlHelper::actionUrl('users/session-info'),
+                ],
+                View::TEMPLATE_MODE_CP,
+            )
+        );
+
+        return static::tag('craft-csrf-input');
     }
 
     /**

src/queue/BaseBatchedJob.php

@@ -115,7 +115,6 @@ final protected function totalBatches(): int
     public function execute($queue): void
     {
         $items = $this->data()->getSlice($this->itemOffset, $this->batchSize);
-        $totalInBatch = is_array($items) ? count($items) : iterator_count($items);
 
         $memoryLimit = ConfigHelper::sizeInBytes(ini_get('memory_limit'));
         $startMemory = $memoryLimit != -1 ? memory_get_usage() : null;
@@ -129,9 +128,11 @@ public function execute($queue): void
         $i = 0;
 
         foreach ($items as $item) {
-            $this->setProgress($queue, $i / $totalInBatch, Translation::prep('app', '{step, number} of {total, number}', [
-                'step' => $this->itemOffset + 1,
-                'total' => $this->totalItems(),
+            $step = $this->itemOffset + 1;
+            $total = $this->totalItems();
+            $this->setProgress($queue, $step / $total, Translation::prep('app', '{step, number} of {total, number}', [
+                'step' => $step,
+                'total' => $total,
             ]));
             $this->processItem($item);
             $this->itemOffset++;

src/templates/_special/async-csrf-input.twig

@@ -0,0 +1,19 @@
+<script>
+  (function() {
+    fetch('{{ url }}', {
+      headers: {
+        'Accept': 'application/json',
+      }
+    }).then(response => response.json())
+      .then(data => {
+        document.querySelectorAll('craft-csrf-input')
+          .forEach(element => {
+            const input = document.createElement('input');
+            input.type = 'hidden';
+            input.name = data.csrfTokenName;
+            input.value = data.csrfTokenValue;
+            element.replaceWith(input);
+          });
+      });
+  })();
+</script>