a3723d3665
If the Origin header is present, we can check it and skip the other checks.
27 lines
545 B
Go
27 lines
545 B
Go
package main
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
|
|
p := strings.TrimSuffix(prefix, "/")
|
|
if origin := r.Header.Get("Origin"); origin != "" {
|
|
// if there's an Origin header, check it and ignore the rest
|
|
return strings.HasPrefix(origin, p)
|
|
}
|
|
|
|
for _, header := range whitelistHeaders {
|
|
if r.Header.Get(header) != "" {
|
|
return true
|
|
}
|
|
}
|
|
|
|
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|