strict referrer check improvements

* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header

csrf.go

@@ -6,21 +6,20 @@ import (
 )
 
 func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []string) bool {
+	p := strings.TrimSuffix(prefix, "/")
+	if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
+		return false
+	}
+
 	for _, header := range whitelistHeaders {
 		if r.Header.Get(header) != "" {
 			return true
 		}
 	}
 
-	p := strings.TrimSuffix(prefix, "/")
-
 	if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
 		return false
 	}
 
-	if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
-		return false
-	}
-
 	return true
 }

upload.go

@@ -46,7 +46,7 @@ type Upload struct {
 }
 
 func uploadPostHandler(c web.C, w http.ResponseWriter, r *http.Request) {
-	if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize"}) {
+	if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
 		badRequestHandler(c, w, r)
 		return
 	}
@@ -145,7 +145,7 @@ func uploadRemote(c web.C, w http.ResponseWriter, r *http.Request) {
 		}
 	} else {
 		// strict referrer checking is mandatory without remote auth keys
-		if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize"}) {
+		if !strictReferrerCheck(r, Config.siteURL, []string{"Linx-Delete-Key", "Linx-Expiry", "Linx-Randomize", "X-Requested-With"}) {
 			badRequestHandler(c, w, r)
 			return
 		}