mirror of
https://github.com/thomiceli/opengist.git
synced 2024-12-23 04:52:40 +00:00
Skip CSRF for embeds
The CSRF middleware sets a _csrf cookie also for loading the embed javascript on third-party sites. With this change no _csrf cookie is set when loading the embed javascript (regardless if third-party site or first-party).
This commit is contained in:
parent
4c5a7bda63
commit
9d59a92c96
1 changed files with 5 additions and 0 deletions
|
@ -251,6 +251,11 @@ func NewServer(isDev bool, sessionsPath string, ignoreCsrf bool) *Server {
|
||||||
CookiePath: "/",
|
CookiePath: "/",
|
||||||
CookieHTTPOnly: true,
|
CookieHTTPOnly: true,
|
||||||
CookieSameSite: http.SameSiteStrictMode,
|
CookieSameSite: http.SameSiteStrictMode,
|
||||||
|
Skipper: func(ctx echo.Context) bool {
|
||||||
|
/* skip CSRF for embeds */
|
||||||
|
gistName := ctx.Param("gistname")
|
||||||
|
return filepath.Ext(gistName) == ".js"
|
||||||
|
},
|
||||||
}))
|
}))
|
||||||
g1.Use(csrfInit)
|
g1.Use(csrfInit)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue