diff --git a/lib/transports/jsonp-polling.js b/lib/transports/jsonp-polling.js
index 6f6829f78..f2d0cb221 100644
--- a/lib/transports/jsonp-polling.js
+++ b/lib/transports/jsonp-polling.js
@@ -8,20 +8,20 @@
 
 (function(){
 	var io = this.io;
-	
+
 	io.JSONP = [];
-	
+
 	JSONPPolling = io.Transport['jsonp-polling'] = function(){
 		io.Transport.XHR.apply(this, arguments);
 		this._insertAt = document.getElementsByTagName('script')[0];
 		this._index = io.JSONP.length;
 		io.JSONP.push(this);
 	};
-	
+
 	io.util.inherit(JSONPPolling, io.Transport['xhr-polling']);
-	
+
 	JSONPPolling.prototype.type = 'jsonp-polling';
-	
+
 	JSONPPolling.prototype._send = function(data){
 		var self = this;
 		if (!('_form' in this)){
@@ -29,7 +29,7 @@
 				area = document.createElement('TEXTAREA'),
 				id = this._iframeId = 'socket_io_iframe_' + this._index,
 				iframe;
-	
+
 			form.style.position = 'absolute';
 			form.style.top = '-1000px';
 			form.style.left = '-1000px';
@@ -38,24 +38,34 @@
 			form.action = this._prepareUrl() + '/' + (+new Date) + '/' + this._index;
 			area.name = 'data';
 			form.appendChild(area);
+			//Tornado
+			secureCookie = io.util.getCookie('_xsrf');
+			if (secureCookie) {
+				input = document.createElement('input');
+				input.type = 'hidden';
+				input.name = '_xsrf';
+				input.value = secureCookie;
+				form.appendChild(input);
+			}
+
 			this._insertAt.parentNode.insertBefore(form, this._insertAt);
 			document.body.appendChild(form);
-	
+
 			this._form = form;
 			this._area = area;
 		}
-	
+
 		function complete(){
 			initIframe();
 			self._posting = false;
 			self._checkSend();
 		};
-	
+
 		function initIframe(){
 			if (self._iframe){
 				self._form.removeChild(self._iframe);
-			} 
-	
+			}
+
 			try {
 				// ie6 dynamic iframes with target="" support (thanks Chris Lambacher)
 				iframe = document.createElement('<iframe name="'+ self._iframeId +'">');
@@ -63,22 +73,22 @@
 				iframe = document.createElement('iframe');
 				iframe.name = self._iframeId;
 			}
-	
+
 			iframe.id = self._iframeId;
-	
+
 			self._form.appendChild(iframe);
 			self._iframe = iframe;
 		};
-	
+
 		initIframe();
-	
+
 		this._posting = true;
 		this._area.value = data;
-	
+
 		try {
 			this._form.submit();
 		} catch(e){}
-	
+
 		if (this._iframe.attachEvent){
 			iframe.onreadystatechange = function(){
 				if (self._iframe.readyState == 'complete') complete();
@@ -87,7 +97,7 @@
 			this._iframe.onload = complete;
 		}
 	};
-	
+
 	JSONPPolling.prototype._get = function(){
 		var self = this,
 				script = document.createElement('SCRIPT');
@@ -103,18 +113,18 @@
 		this._insertAt.parentNode.insertBefore(script, this._insertAt);
 		this._script = script;
 	};
-	
+
 	JSONPPolling.prototype._ = function(){
 		this._onData.apply(this, arguments);
 		this._get();
 		return this;
 	};
-	
+
 	JSONPPolling.check = function(){
 		return true;
 	};
-	
+
 	JSONPPolling.xdomainCheck = function(){
 		return true;
 	};
-})();
\ No newline at end of file
+})();
diff --git a/lib/transports/xhr.js b/lib/transports/xhr.js
index 3fb4503fd..48aa3e2f6 100644
--- a/lib/transports/xhr.js
+++ b/lib/transports/xhr.js
@@ -1,6 +1,6 @@
 /**
  * Socket.IO client
- * 
+ *
  * @author Guillermo Rauch <guillermo@learnboost.com>
  * @license The MIT license.
  * @copyright Copyright (c) 2010 LearnBoost <dev@learnboost.com>
@@ -8,16 +8,16 @@
 
 (function(){
 	var io = this.io;
-	
+
 	var empty = new Function,
-	    
+
 	XMLHttpRequestCORS = (function(){
 		if (!('XMLHttpRequest' in window)) return false;
 		// CORS feature detection
 		var a = new XMLHttpRequest();
 		return a.withCredentials != undefined;
 	})(),
-	
+
 	request = function(xdomain){
 		if ('XDomainRequest' in window && xdomain) return new XDomainRequest();
 		if ('XMLHttpRequest' in window && (!xdomain || XMLHttpRequestCORS)) return new XMLHttpRequest();
@@ -26,7 +26,7 @@
 				var a = new ActiveXObject('MSXML2.XMLHTTP');
 				return a;
 			} catch(e){}
-		
+
 			try {
 				var b = new ActiveXObject('Microsoft.XMLHTTP');
 				return b;
@@ -34,19 +34,19 @@
 		}
 		return false;
 	},
-	
+
 	XHR = io.Transport.XHR = function(){
 		io.Transport.apply(this, arguments);
 		this._sendBuffer = [];
 	};
-	
+
 	io.util.inherit(XHR, io.Transport);
-	
+
 	XHR.prototype.connect = function(){
 		this._get();
 		return this;
 	};
-	
+
 	XHR.prototype._checkSend = function(){
 		if (!this._posting && this._sendBuffer.length){
 			var encoded = this._encode(this._sendBuffer);
@@ -54,7 +54,7 @@
 			this._send(encoded);
 		}
 	};
-	
+
 	XHR.prototype.send = function(data){
 		if (io.util.isArray(data)){
 			this._sendBuffer.push.apply(this._sendBuffer, data);
@@ -64,7 +64,7 @@
 		this._checkSend();
 		return this;
 	};
-	
+
 	XHR.prototype._send = function(data){
 		var self = this;
 		this._posting = true;
@@ -84,53 +84,56 @@
 		};
 		this._sendXhr.send('data=' + encodeURIComponent(data));
 	};
-	
+
 	XHR.prototype.disconnect = function(){
 		// send disconnection signal
 		this._onDisconnect();
 		return this;
 	};
-	
+
 	XHR.prototype._onDisconnect = function(){
 		if (this._xhr){
 			this._xhr.onreadystatechange = empty;
-      try {
-        this._xhr.abort();
-      } catch(e){}
+		try {
+			this._xhr.abort();
+		} catch(e){}
 			this._xhr = null;
 		}
 		if (this._sendXhr){
-      this._sendXhr.onreadystatechange = empty;
-      try {
-        this._sendXhr.abort();
-      } catch(e){}
+			this._sendXhr.onreadystatechange = empty;
+			try {
+				this._sendXhr.abort();
+			} catch(e){}
 			this._sendXhr = null;
 		}
 		this._sendBuffer = [];
 		io.Transport.prototype._onDisconnect.call(this);
 	};
-	
+
 	XHR.prototype._request = function(url, method, multipart){
 		var req = request(this.base._isXDomain());
 		if (multipart) req.multipart = true;
 		req.open(method || 'GET', this._prepareUrl() + (url ? '/' + url : ''));
 		if (method == 'POST' && 'setRequestHeader' in req){
+			secureCookie = io.util.getCookie('_xsrf');
+			if (secureCookie) req.setRequestHeader('X-XSRFToken', secureCookie);
+
 			req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded; charset=utf-8');
 		}
 		return req;
 	};
-	
+
 	XHR.check = function(xdomain){
 		try {
 			if (request(xdomain)) return true;
 		} catch(e){}
 		return false;
 	};
-	
+
 	XHR.xdomainCheck = function(){
 		return XHR.check(true);
 	};
-	
+
 	XHR.request = request;
-	
+
 })();
diff --git a/lib/util.js b/lib/util.js
index b5875721e..24833cdc7 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -41,12 +41,15 @@
 		isArray: function(obj){
 			return Object.prototype.toString.call(obj) === '[object Array]';
 		},
-		
-    merge: function(target, additional){
-      for (var i in additional)
-        if (additional.hasOwnProperty(i))
-          target[i] = additional[i];
-    }
+		getCookie: function(name){
+			var r = document.cookie.match("\\b" + name + "=([^;]*)\\b");
+			return r ? r[1] : undefined;
+		},
+		merge: function(target, additional){
+		  for (var i in additional)
+			if (additional.hasOwnProperty(i))
+			  target[i] = additional[i];
+		},
 
 	};