From 9d59a92c9625c5687f768adce9da59440f6be57c Mon Sep 17 00:00:00 2001 From: Andreas Jaggi Date: Tue, 17 Dec 2024 20:52:13 +0100 Subject: [PATCH] Skip CSRF for embeds The CSRF middleware sets a _csrf cookie also for loading the embed javascript on third-party sites. With this change no _csrf cookie is set when loading the embed javascript (regardless if third-party site or first-party). --- internal/web/server.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/web/server.go b/internal/web/server.go index f3d4850..5be650b 100644 --- a/internal/web/server.go +++ b/internal/web/server.go @@ -251,6 +251,11 @@ func NewServer(isDev bool, sessionsPath string, ignoreCsrf bool) *Server { CookiePath: "/", CookieHTTPOnly: true, CookieSameSite: http.SameSiteStrictMode, + Skipper: func(ctx echo.Context) bool { + /* skip CSRF for embeds */ + gistName := ctx.Param("gistname") + return filepath.Ext(gistName) == ".js" + }, })) g1.Use(csrfInit) }