diff options
| author | Jakob Borg <jakob@nym.se> | 2016-05-21 13:48:55 +0000 |
|---|---|---|
| committer | Jakob Borg <jakob@nym.se> | 2016-05-21 22:56:10 +0900 |
| commit | 4a228697cdc213b46ef3755c653bb7e9967248ae (patch) | |
| tree | 5861d718486acf53073c72b087b66612c5d753dc | |
| parent | b4f941784f2150cddfd3fd3a7501ee34c1b56777 (diff) | |
GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3137
| -rw-r--r-- | cmd/syncthing/gui.go | 4 | ||||
| -rw-r--r-- | cmd/syncthing/gui_csrf.go | 15 |
2 files changed, 2 insertions, 17 deletions
diff --git a/cmd/syncthing/gui.go b/cmd/syncthing/gui.go index 8e495b3d93..167324367a 100644 --- a/cmd/syncthing/gui.go +++ b/cmd/syncthing/gui.go @@ -397,10 +397,6 @@ func corsMiddleware(next http.Handler) http.Handler { // // See https://www.w3.org/TR/cors/ for details. return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // Add a generous access-control-allow-origin header since we may be - // redirecting REST requests over protocols - w.Header().Add("Access-Control-Allow-Origin", "*") - // Process OPTIONS requests if r.Method == "OPTIONS" { // Only GET/POST Methods are supported diff --git a/cmd/syncthing/gui_csrf.go b/cmd/syncthing/gui_csrf.go index 00e2d3e939..52b1234a4b 100644 --- a/cmd/syncthing/gui_csrf.go +++ b/cmd/syncthing/gui_csrf.go @@ -40,7 +40,8 @@ func csrfMiddleware(unique string, prefix string, cfg config.GUIConfiguration, n return } - // Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one. + // Allow requests for anything not under the protected path prefix, + // and set a CSRF cookie if there isn't already a valid one. if !strings.HasPrefix(r.URL.Path, prefix) { cookie, err := r.Cookie("CSRF-Token-" + unique) if err != nil || !validCsrfToken(cookie.Value) { @@ -55,18 +56,6 @@ func csrfMiddleware(unique string, prefix string, cfg config.GUIConfiguration, n return } - if r.Method == "GET" { - // Allow GET requests unconditionally, but if we got the CSRF - // token cookie do the verification anyway so we keep the - // csrfTokens list sorted by recent usage. We don't care about the - // outcome of the validity check. - if cookie, err := r.Cookie("CSRF-Token-" + unique); err == nil { - validCsrfToken(cookie.Value) - } - next.ServeHTTP(w, r) - return - } - // Verify the CSRF token token := r.Header.Get("X-CSRF-Token-" + unique) if !validCsrfToken(token) { |