linx-server/csrf.go
mutantmonkey a3723d3665 short-circuit on origin header
If the Origin header is present, we can check it and skip the other
checks.
2015-10-12 01:23:06 -07:00

27 lines
545 B
Go

package main
import (
"net/http"
"strings"
)
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
p := strings.TrimSuffix(prefix, "/")
if origin := r.Header.Get("Origin"); origin != "" {
// if there's an Origin header, check it and ignore the rest
return strings.HasPrefix(origin, p)
}
for _, header := range whitelistHeaders {
if r.Header.Get(header) != "" {
return true
}
}
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
return false
}
return true
}