Skip CSRF for embeds

The CSRF middleware sets a _csrf cookie also for loading the embed javascript on third-party sites. With this change no _csrf cookie is set when loading the embed javascript (regardless if third-party site or first-party).
thomiceli · Dec 17, 2024 · be6715c · be6715c
1 parent 4c5a7bd
commit be6715c
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/internal/web/server.go b/internal/web/server.go
@@ -251,6 +251,14 @@ func NewServer(isDev bool, sessionsPath string, ignoreCsrf bool) *Server {
 				CookiePath:     "/",
 				CookieHTTPOnly: true,
 				CookieSameSite: http.SameSiteStrictMode,
+				Skipper: func(ctx echo.Context) bool {
+					/* skip CSRF for embeds */
+					gistName := ctx.Param("gistname")
+					if filepath.Ext(gistName) == ".js" {
+						return true
+					}
+					return false
+				},
 			}))
 			g1.Use(csrfInit)
 		}