Does this work since content of that cookie is an encrypted version of the CSRF token, not the token itself?

As you can see, Laravel decrypts the header here: https://github.com/laravel/framework/blob/6.x/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php#L153

The only thing needed to make this work would be to change the header name from X-CSRF to X-XSRF when sending the encrypted versiom. Will PR that later today

Honestly I'm fine not messing with this.

I was about to submit a PR with a slightly different approach to setting the X-XSRF-TOKEN header, but realized it won't work with a SPA as the header can't be changed after constructing Pusher.

I came up with this solution, which ensures the header is always kept up-to-date:

const cookie = function (name) {
    let match = document.cookie.match(new RegExp('(^|;\\s*)(' + name + ')=([^;]*)'));
    return (match ? decodeURIComponent(match[3]) : null);
}

const xsrf = (urlmatch) => {
    let open = XMLHttpRequest.prototype.open;
    XMLHttpRequest.prototype.open = function (method, url) {
        open.apply(this, arguments);

        if ((new URL(url, window.location)).toString().includes(urlmatch)) {
            this.setRequestHeader('X-XSRF-TOKEN', cookie('XSRF-TOKEN'))
        }
    }
};

xsrf('https://example.org/broadcasting/auth')

new Echo(...)