Disable CSRF protection (#313)

2016-11-03 15:56:10 +13:00 · 2016-11-03 15:56:10 +13:00 · f0e194f63b
parent eabf1f10e4
commit f0e194f63b
2 changed files with 13 additions and 9 deletions
--- a/api/handler.go
+++ b/api/handler.go
@ -17,7 +17,6 @@ func (a *api) newHandler(settings *Settings) http.Handler {
 	)

 	handler := a.newAPIHandler()
-	CSRFHandler := newCSRFHandler(a.dataPath)

 	mux.Handle("/", fileHandler)
 	mux.Handle("/dockerapi/", http.StripPrefix("/dockerapi", handler))
@ -28,7 +27,12 @@ func (a *api) newHandler(settings *Settings) http.Handler {
 	mux.HandleFunc("/templates", func(w http.ResponseWriter, r *http.Request) {
 		templatesHandler(w, r, a.templatesURL)
 	})
-	return CSRFHandler(newCSRFWrapper(mux))
+	// CSRF protection is disabled for the moment
+	// CSRFHandler := newCSRFHandler(a.dataPath)
+	// return CSRFHandler(newCSRFWrapper(mux))
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mux.ServeHTTP(w, r)
+	})
 }

 // newAPIHandler initializes a new http.Handler based on the URL scheme
--- a/app/app.js
+++ b/app/app.js
@ -33,9 +33,6 @@ angular.module('portainer', [
  .config(['$stateProvider', '$urlRouterProvider', '$httpProvider', function ($stateProvider, $urlRouterProvider, $httpProvider) {
    'use strict';

-    $httpProvider.defaults.xsrfCookieName = 'csrfToken';
-    $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
-
    $urlRouterProvider.otherwise('/');

    $stateProvider
@ -161,6 +158,8 @@ angular.module('portainer', [
    });

    // The Docker API likes to return plaintext errors, this catches them and disp
+    // $httpProvider.defaults.xsrfCookieName = 'csrfToken';
+    // $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
    $httpProvider.interceptors.push(function() {
      return {
        'response': function(response) {
@ -172,10 +171,11 @@ angular.module('portainer', [
              time: 10000
            });
          }
-          var csrfToken = response.headers('X-Csrf-Token');
-          if (csrfToken) {
-            document.cookie = 'csrfToken=' + csrfToken;
-          }
+          // CSRF protection is disabled for the moment
+          // var csrfToken = response.headers('X-Csrf-Token');
+          // if (csrfToken) {
+          //   document.cookie = 'csrfToken=' + csrfToken;
+          // }
          return response;
        }
      };