Skip CSRF for embeds

The CSRF middleware sets a _csrf cookie also for loading the embed
javascript on third-party sites. With this change no _csrf cookie is set
when loading the embed javascript (regardless if third-party site or
first-party).
This commit is contained in:
Andreas Jaggi 2024-12-17 20:52:13 +01:00
parent 4c5a7bda63
commit 9d59a92c96

View file

@ -251,6 +251,11 @@ func NewServer(isDev bool, sessionsPath string, ignoreCsrf bool) *Server {
CookiePath: "/", CookiePath: "/",
CookieHTTPOnly: true, CookieHTTPOnly: true,
CookieSameSite: http.SameSiteStrictMode, CookieSameSite: http.SameSiteStrictMode,
Skipper: func(ctx echo.Context) bool {
/* skip CSRF for embeds */
gistName := ctx.Param("gistname")
return filepath.Ext(gistName) == ".js"
},
})) }))
g1.Use(csrfInit) g1.Use(csrfInit)
} }