Blank referrers are allowed

9 years ago · 9b724725b3
3 changed files with 11 additions and 2 deletions
--- a/csrf.go
+++ b/csrf.go
@ -24,6 +24,11 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
 	}
 	referrer := r.Header.Get("Referer")
 	if referrer == "" {
 		return true
 	}
 	u, _ := url.Parse(referrer)
 	return sameOrigin(u, p)
 }
--- a/templates/400.html
+++ b/templates/400.html
@ -1,5 +1,7 @@
 {% extends "base.html" %}
 {% block content %}
 400 Bad Request
 <div id="main">
 	400 Bad Request
 </div>
 {% endblock %}
--- a/templates/401.html
+++ b/templates/401.html
@ -1,5 +1,7 @@
 {% extends "base.html" %}
 {% block content %}
 401 Unauthorized
 <div id="main">
 	401 Unauthorized
 </div>
 {% endblock %}