diff --git a/api/handler.go b/api/handler.go index fe8f2b947..ef60a8583 100644 --- a/api/handler.go +++ b/api/handler.go @@ -17,7 +17,6 @@ func (a *api) newHandler(settings *Settings) http.Handler { ) handler := a.newAPIHandler() - CSRFHandler := newCSRFHandler(a.dataPath) mux.Handle("/", fileHandler) mux.Handle("/dockerapi/", http.StripPrefix("/dockerapi", handler)) @@ -28,7 +27,12 @@ func (a *api) newHandler(settings *Settings) http.Handler { mux.HandleFunc("/templates", func(w http.ResponseWriter, r *http.Request) { templatesHandler(w, r, a.templatesURL) }) - return CSRFHandler(newCSRFWrapper(mux)) + // CSRF protection is disabled for the moment + // CSRFHandler := newCSRFHandler(a.dataPath) + // return CSRFHandler(newCSRFWrapper(mux)) + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + mux.ServeHTTP(w, r) + }) } // newAPIHandler initializes a new http.Handler based on the URL scheme diff --git a/app/app.js b/app/app.js index 5a1fda021..8f631ed51 100644 --- a/app/app.js +++ b/app/app.js @@ -33,9 +33,6 @@ angular.module('portainer', [ .config(['$stateProvider', '$urlRouterProvider', '$httpProvider', function ($stateProvider, $urlRouterProvider, $httpProvider) { 'use strict'; - $httpProvider.defaults.xsrfCookieName = 'csrfToken'; - $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token'; - $urlRouterProvider.otherwise('/'); $stateProvider @@ -161,6 +158,8 @@ angular.module('portainer', [ }); // The Docker API likes to return plaintext errors, this catches them and disp + // $httpProvider.defaults.xsrfCookieName = 'csrfToken'; + // $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token'; $httpProvider.interceptors.push(function() { return { 'response': function(response) { @@ -172,10 +171,11 @@ angular.module('portainer', [ time: 10000 }); } - var csrfToken = response.headers('X-Csrf-Token'); - if (csrfToken) { - document.cookie = 'csrfToken=' + csrfToken; - } + // CSRF protection is disabled for the moment + // var csrfToken = response.headers('X-Csrf-Token'); + // if (csrfToken) { + // document.cookie = 'csrfToken=' + csrfToken; + // } return response; } };