gitea/opengist
0
0
Fork 0
mirror of https://github.com/thomiceli/opengist.git synced 2025-06-14 06:07:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Skip CSRF for embeds (#402)

Browse Source 
* Skip CSRF for embeds

The CSRF middleware sets a _csrf cookie also for loading the embed
javascript on third-party sites. With this change no _csrf cookie is set
when loading the embed javascript (regardless if third-party site or
first-party).
This commit is contained in:
Andreas Jaggi
2025-01-20 02:18:45 +01:00
committed by GitHub
parent f935ee1a7e
commit a752e0561d
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
internal/web/server/middlewares.go
View File

@ -58,6 +58,11 @@ func (s *Server) registerMiddlewares() {
CookiePath: "/", CookiePath: "/",
CookieHTTPOnly: true, CookieHTTPOnly: true,
CookieSameSite: http.SameSiteStrictMode, CookieSameSite: http.SameSiteStrictMode,
Skipper: func(ctx echo.Context) bool {
/* skip CSRF for embeds */
gistName := ctx.Param("gistname")
return filepath.Ext(gistName) == ".js"
},
})) }))
s.echo.Use(Middleware(csrfInit).toEcho()) s.echo.Use(Middleware(csrfInit).toEcho())
} }