CSRF protection should only cover /rest

2014-07-06 15:00:44 +02:00
parent 31350b4352
commit b7ea695caf
2 changed files with 6 additions and 4 deletions
--- a/cmd/syncthing/gui.go
+++ b/cmd/syncthing/gui.go
@@ -126,8 +126,9 @@ func startGUI(cfg config.GUIConfiguration, assetDir string, m *model.Model) erro
 		mux.HandleFunc("/", embeddedStatic)
 	}

-	// Wrap everything in CSRF protection
-	handler := csrfMiddleware(mux)
+	// Wrap everything in CSRF protection. The /rest prefix should be
+	// protected, other requests will grant cookies.
+	handler := csrfMiddleware("/rest", mux)

 	// Wrap everything in basic auth, if user/password is set.
 	if len(cfg.User) > 0 {