Allow GET requests without CSRF

2014-08-02 08:19:10 +02:00 · 2014-08-02 08:19:10 +02:00 · d65bbf2113
parent b8bfc9b732
commit d65bbf2113
1 changed files with 6 additions and 0 deletions
--- a/cmd/syncthing/gui_csrf.go
+++ b/cmd/syncthing/gui_csrf.go
@ -43,6 +43,12 @@ func csrfMiddleware(prefix string, next http.Handler) http.Handler {
 			return
 		}

+		if r.Method == "GET" {
+			// Allow GET requests unconditionally
+			next.ServeHTTP(w, r)
+			return
+		}
+
 		// Verify the CSRF token
 		token := r.Header.Get("X-CSRF-Token")
 		if !validCsrfToken(token) {