-
Notifications
You must be signed in to change notification settings - Fork 192
/
csrf.go
36 lines (29 loc) · 956 Bytes
/
csrf.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
package main
import (
"net/http"
"net/url"
)
// Do a strict referrer check, matching against both the Origin header (if
// present) and the Referrer header. If a list of headers is specified, then
// Referrer checking will be skipped if any of those headers are present.
func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
p, _ := url.Parse(prefix)
// if there's an Origin header, check it and skip other checks
if origin := r.Header.Get("Origin"); origin != "" {
u, _ := url.Parse(origin)
return sameOrigin(u, p)
}
for _, header := range whitelistHeaders {
if r.Header.Get(header) != "" {
return true
}
}
referrer := r.Header.Get("Referer")
u, _ := url.Parse(referrer)
return sameOrigin(u, p)
}
// Check if two URLs have the same origin
func sameOrigin(u1, u2 *url.URL) bool {
// host also contains the port if one was specified
return (u1.Scheme == u2.Scheme && u1.Host == u2.Host)
}