From a3723d3665480a784af8dd1c4b181641d2b4f257 Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Mon, 12 Oct 2015 01:23:06 -0700
Subject: [PATCH] short-circuit on origin header

If the Origin header is present, we can check it and skip the other
checks.
---
 csrf.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/csrf.go b/csrf.go
index fdf3d93..b70215b 100644
--- a/csrf.go
+++ b/csrf.go
@@ -7,8 +7,9 @@ import (
 
 func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
 	p := strings.TrimSuffix(prefix, "/")
-	if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
-		return false
+	if origin := r.Header.Get("Origin"); origin != "" {
+		// if there's an Origin header, check it and ignore the rest
+		return strings.HasPrefix(origin, p)
 	}
 
 	for _, header := range whitelistHeaders {