short-circuit on origin header
If the Origin header is present, we can check it and skip the other checks.
This commit is contained in:
parent
0a1aa869e4
commit
a3723d3665
5
csrf.go
5
csrf.go
@ -7,8 +7,9 @@ import (
|
|||||||
|
|
||||||
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
|
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
|
||||||
p := strings.TrimSuffix(prefix, "/")
|
p := strings.TrimSuffix(prefix, "/")
|
||||||
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
|
if origin := r.Header.Get("Origin"); origin != "" {
|
||||||
return false
|
// if there's an Origin header, check it and ignore the rest
|
||||||
|
return strings.HasPrefix(origin, p)
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, header := range whitelistHeaders {
|
for _, header := range whitelistHeaders {
|
||||||
|
Loading…
Reference in New Issue
Block a user