From 3c659601e2b698c06686c14abce9425ead581301 Mon Sep 17 00:00:00 2001
From: andreimarcu <andrei@marcu.net>
Date: Wed, 14 Oct 2015 20:40:25 -0400
Subject: [PATCH] Make it an option for post uploads

---
 csrf.go   | 4 ++--
 upload.go | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/csrf.go b/csrf.go
index 03b11b3..509d95c 100644
--- a/csrf.go
+++ b/csrf.go
@@ -8,7 +8,7 @@ import (
 // Do a strict referrer check, matching against both the Origin header (if
 // present) and the Referrer header. If a list of headers is specified, then
 // Referrer checking will be skipped if any of those headers are present.
-func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
+func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string, allowBlank bool) bool {
 	p, _ := url.Parse(prefix)
 
 	// if there's an Origin header, check it and skip other checks
@@ -25,7 +25,7 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
 
 	referrer := r.Header.Get("Referer")
 
-	if referrer == "" {
+	if allowBlank && referrer == "" {
 		return true
 	}
 
diff --git a/upload.go b/upload.go
index 9c14596..319be6b 100644
--- a/upload.go
+++ b/upload.go
@@ -46,7 +46,7 @@ type Upload struct {
 }
 
 func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) {
-	if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
+	if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}, false) {
 		badRequestHandler(c, w, r)
 		return
 	}
@@ -146,7 +146,7 @@ func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) {
 		}
 	} else {
 		// strict referrer checking is mandatory without remote auth keys
-		if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
+		if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}, true) {
 			badRequestHandler(c, w, r)
 			return
 		}