From f0e194f63b49f8de989afc2376872d940dfcd4b1 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <lapenna.anthony@gmail.com>
Date: Thu, 3 Nov 2016 15:56:10 +1300
Subject: [PATCH] Disable CSRF protection (#313)

---
 api/handler.go |  8 ++++++--
 app/app.js     | 14 +++++++-------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/api/handler.go b/api/handler.go
index fe8f2b947..ef60a8583 100644
--- a/api/handler.go
+++ b/api/handler.go
@@ -17,7 +17,6 @@ func (a *api) newHandler(settings *Settings) http.Handler {
 	)
 
 	handler := a.newAPIHandler()
-	CSRFHandler := newCSRFHandler(a.dataPath)
 
 	mux.Handle("/", fileHandler)
 	mux.Handle("/dockerapi/", http.StripPrefix("/dockerapi", handler))
@@ -28,7 +27,12 @@ func (a *api) newHandler(settings *Settings) http.Handler {
 	mux.HandleFunc("/templates", func(w http.ResponseWriter, r *http.Request) {
 		templatesHandler(w, r, a.templatesURL)
 	})
-	return CSRFHandler(newCSRFWrapper(mux))
+	// CSRF protection is disabled for the moment
+	// CSRFHandler := newCSRFHandler(a.dataPath)
+	// return CSRFHandler(newCSRFWrapper(mux))
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mux.ServeHTTP(w, r)
+	})
 }
 
 // newAPIHandler initializes a new http.Handler based on the URL scheme
diff --git a/app/app.js b/app/app.js
index 5a1fda021..8f631ed51 100644
--- a/app/app.js
+++ b/app/app.js
@@ -33,9 +33,6 @@ angular.module('portainer', [
   .config(['$stateProvider', '$urlRouterProvider', '$httpProvider', function ($stateProvider, $urlRouterProvider, $httpProvider) {
     'use strict';
 
-    $httpProvider.defaults.xsrfCookieName = 'csrfToken';
-    $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
-
     $urlRouterProvider.otherwise('/');
 
     $stateProvider
@@ -161,6 +158,8 @@ angular.module('portainer', [
     });
 
     // The Docker API likes to return plaintext errors, this catches them and disp
+    // $httpProvider.defaults.xsrfCookieName = 'csrfToken';
+    // $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
     $httpProvider.interceptors.push(function() {
       return {
         'response': function(response) {
@@ -172,10 +171,11 @@ angular.module('portainer', [
               time: 10000
             });
           }
-          var csrfToken = response.headers('X-Csrf-Token');
-          if (csrfToken) {
-            document.cookie = 'csrfToken=' + csrfToken;
-          }
+          // CSRF protection is disabled for the moment
+          // var csrfToken = response.headers('X-Csrf-Token');
+          // if (csrfToken) {
+          //   document.cookie = 'csrfToken=' + csrfToken;
+          // }
           return response;
         }
       };