Fix CSRF & bump to v0.7.1 (#328)

* Disable CSRF check for debug mode (to support Colab) * Bump to v0.7.1
google · May 30, 2024 · d7b9f32 · d7b9f32
1 parent 55c20b4
commit d7b9f32
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/mesop/server/server.py b/mesop/server/server.py
@@ -163,7 +163,12 @@ def generate_data(ui_request: pb.UiRequest) -> Generator[str, None, None]:
   def ui_stream() -> Response:
     # Prevent CSRF by checking the request origin matches the origin
     # of the URL root (where the Flask app is being served from)
-    if not is_same_origin(request.headers.get("Origin"), request.url_root):
+    #
+    # Skip the check if it's running in debug mode because when
+    # running in Colab, the UI and HTTP requests are on different origins.
+    if not runtime().debug_mode and not is_same_origin(
+      request.headers.get("Origin"), request.url_root
+    ):
       abort(403, "Rejecting cross-site POST request to /ui")
     data = request.data
     if not data:

diff --git a/mesop/version.py b/mesop/version.py
@@ -1,6 +1,6 @@
 """Contains the version string."""
 
-VERSION = "0.7.0"
+VERSION = "0.7.1"
 
 if __name__ == "__main__":
   print(VERSION)