trim trailing / for origin checking

csrf.go

@@ -16,7 +16,7 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
 		return false
 	}
 
-	if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, prefix) {
+	if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, strings.TrimSuffix(prefix, "/")) {
 		return false
 	}
 

server_test.go

@@ -248,7 +248,7 @@ func TestPostCodeUploadBadOrigin(t *testing.T) {
 	req.PostForm = form
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Referer", Config.siteURL)
-	req.Header.Set("Origin", "http://example.com/")
+	req.Header.Set("Origin", "http://example.com")
 
 	mux.ServeHTTP(w, req)
 
@@ -274,6 +274,7 @@ func TestPostCodeExpiryJSONUpload(t *testing.T) {
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Accept", "application/json")
 	req.Header.Set("Referer", Config.siteURL)
+	req.Header.Set("Origin", strings.TrimSuffix(Config.siteURL, "/"))
 
 	mux.ServeHTTP(w, req)