From a752e0561dfefaacd83eb9badd48b71ccc3e66b4 Mon Sep 17 00:00:00 2001
From: Andreas Jaggi <x-way@waterwave.ch>
Date: Mon, 20 Jan 2025 02:18:45 +0100
Subject: [PATCH] Skip CSRF for embeds (#402)

* Skip CSRF for embeds

The CSRF middleware sets a _csrf cookie also for loading the embed
javascript on third-party sites. With this change no _csrf cookie is set
when loading the embed javascript (regardless if third-party site or
first-party).
---
 internal/web/server/middlewares.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/internal/web/server/middlewares.go b/internal/web/server/middlewares.go
index 26a6f72..4149848 100644
--- a/internal/web/server/middlewares.go
+++ b/internal/web/server/middlewares.go
@@ -58,6 +58,11 @@ func (s *Server) registerMiddlewares() {
 			CookiePath:     "/",
 			CookieHTTPOnly: true,
 			CookieSameSite: http.SameSiteStrictMode,
+			Skipper: func(ctx echo.Context) bool {
+				/* skip CSRF for embeds */
+				gistName := ctx.Param("gistname")
+				return filepath.Ext(gistName) == ".js"
+			},
 		}))
 		s.echo.Use(Middleware(csrfInit).toEcho())
 	}