mirror of
https://github.com/thomiceli/opengist.git
synced 2024-12-23 04:52:40 +00:00
Skip CSRF for embeds
The CSRF middleware sets a _csrf cookie also for loading the embed javascript on third-party sites. With this change no _csrf cookie is set when loading the embed javascript (regardless if third-party site or first-party).
This commit is contained in:
parent
4c5a7bda63
commit
9d59a92c96
1 changed files with 5 additions and 0 deletions
|
@ -251,6 +251,11 @@ func NewServer(isDev bool, sessionsPath string, ignoreCsrf bool) *Server {
|
|||
CookiePath: "/",
|
||||
CookieHTTPOnly: true,
|
||||
CookieSameSite: http.SameSiteStrictMode,
|
||||
Skipper: func(ctx echo.Context) bool {
|
||||
/* skip CSRF for embeds */
|
||||
gistName := ctx.Param("gistname")
|
||||
return filepath.Ext(gistName) == ".js"
|
||||
},
|
||||
}))
|
||||
g1.Use(csrfInit)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue