From d7b9f324ea1125025a5dd6ae68dd92eab2e10b82 Mon Sep 17 00:00:00 2001
From: Will Chen <willchen90@gmail.com>
Date: Wed, 29 May 2024 20:57:57 -0700
Subject: [PATCH] Fix CSRF & bump to v0.7.1 (#328)

* Disable CSRF check for debug mode (to support Colab)
* Bump to v0.7.1
---
 mesop/server/server.py | 7 ++++++-
 mesop/version.py       | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/mesop/server/server.py b/mesop/server/server.py
index 94b1c855c..45f1c098c 100644
--- a/mesop/server/server.py
+++ b/mesop/server/server.py
@@ -163,7 +163,12 @@ def generate_data(ui_request: pb.UiRequest) -> Generator[str, None, None]:
   def ui_stream() -> Response:
     # Prevent CSRF by checking the request origin matches the origin
     # of the URL root (where the Flask app is being served from)
-    if not is_same_origin(request.headers.get("Origin"), request.url_root):
+    #
+    # Skip the check if it's running in debug mode because when
+    # running in Colab, the UI and HTTP requests are on different origins.
+    if not runtime().debug_mode and not is_same_origin(
+      request.headers.get("Origin"), request.url_root
+    ):
       abort(403, "Rejecting cross-site POST request to /ui")
     data = request.data
     if not data:
diff --git a/mesop/version.py b/mesop/version.py
index 06a651eef..7299c9300 100644
--- a/mesop/version.py
+++ b/mesop/version.py
@@ -1,6 +1,6 @@
 """Contains the version string."""
 
-VERSION = "0.7.0"
+VERSION = "0.7.1"
 
 if __name__ == "__main__":
   print(VERSION)