a7ae455ac1
* Always check Origin if it is present, regardless of headers sent * Whitelist X-Requested-With header
26 lines
492 B
Go
26 lines
492 B
Go
package main
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
|
|
p := strings.TrimSuffix(prefix, "/")
|
|
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
|
|
return false
|
|
}
|
|
|
|
for _, header := range whitelistHeaders {
|
|
if r.Header.Get(header) != "" {
|
|
return true
|
|
}
|
|
}
|
|
|
|
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|