ExemptRegexps doesn't work
chespinoza opened this issue · 3 comments
I'm using some like that
handler := nosurf.New(cleanHandler)
handler.ExemptRegexps("/css(.)", "/js(.)", "/images(.*)")
Exempting my assets, but seems don't work:
Request URL:http://192.168.237.131/js/bootstrap.min.js
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:/
Accept-Encoding:gzip,deflate,sdch
Accept-Language:es,en;q=0.8,en-CA;q=0.6
Connection:keep-alive
Cookie:csrf_token=WK6UlEqLP3ioDLsUhuQTc1ZZ08DujAS5Gbxv0G2Riow=; _ga=GA1.1.1561828371.1415760157; session=MTQxOTg4Mzk2N3xfVmc3amc5OFh4RW04VUVjekhxLS16SEIwcEpyY0RUZW9EU3lodHdPSk4zUzdnTUpfYlFpR3l0dmM0a182Y0NTNVRMWE5TQ25fNWZhdzAwOHR5MjROYm5vNGoxdDRPNlA1V0FFdU5sZmQ5cm1HWVZidHk4bUg3aDBzVDBwQUhXSFNQb1JlRjdGTndCbms2UTJCN0liM0ZMR0dyRjMyYUlKSWxUVjU3NlhZVWUzaDNsMlZGczJrcnlsd0V5ZVM5SG9pc3RRVjdINk9RRy1PY245aGlkZTdRSnJncWJZelBLT196cHIwSUM0OVVUQThsNXB6NHVOS2g0PXzY2_Q54s1zOKcqBe5NimAmarqUBGrgq6LsWp1kQ28QZg==; flash=MTQxOTg4Mzk3NXxEdi1EQkFFQ180UUFBUkFCRUFBQUJQLUVBQUE9fKrNyW2LmqkQYwTkI9cMXz3dRF2VVQQx2C0LNCx5_UNC
Host:192.168.237.131
Referer:http://192.168.237.131/login
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Response Headersview source
Accept-Ranges:bytes
Cache-Control:public, max-age=300
Content-Encoding:gzip
Content-Type:application/x-javascript
Date:Mon, 29 Dec 2014 20:30:43 GMT
Last-Modified:Thu, 29 Aug 2013 13:52:00 GMT
Transfer-Encoding:chunked
Vary:Cookie
Vary:Accept-Encoding
It is working - there's no Set-Cookie header. It's just that your cookie
path is likely (the default of) "/", which means that your browser sends
the cookie on any response. You can either:
a) Set a more precise path for your cookies
b) Use a different domain for your static assets
On Tue Dec 30 2014 at 04:36:46 ChristianEspinoza notifications@github.com
wrote:
I'm using some like that
handler := nosurf.New(cleanHandler)
handler.ExemptRegexps("/css(.)", "/js(.)", "/images(.*)")Exempting my assets, but seems don't work:
Request URL:http://192.168.237.131/js/bootstrap.min.js
Request Method:GET
Status Code:200 OK
Request Headersview source
Accept:/
Accept-Encoding:gzip,deflate,sdch
Accept-Language:es,en;q=0.8,en-CA;q=0.6
Connection:keep-alive
Cookie:csrf_token=WK6UlEqLP3ioDLsUhuQTc1ZZ08DujAS5Gbxv0G2Riow=;
_ga=GA1.1.1561828371.1415760157;
session=MTQxOTg4Mzk2N3xfVmc3amc5OFh4RW04VUVjekhxLS16SEIwcEpyY0RUZW9EU3lodHdPSk4zUzdnTUpfYlFpR3l0dmM0a182Y0NTNVRMWE5TQ25fNWZhdzAwOHR5MjROYm5vNGoxdDRPNlA1V0FFdU5sZmQ5cm1HWVZidHk4bUg3aDBzVDBwQUhXSFNQb1JlRjdGTndCbms2UTJCN0liM0ZMR0dyRjMyYUlKSWxUVjU3NlhZVWUzaDNsMlZGczJrcnlsd0V5ZVM5SG9pc3RRVjdINk9RRy1PY245aGlkZTdRSnJncWJZelBLT196cHIwSUM0OVVUQThsNXB6NHVOS2g0PXzY2_Q54s1zOKcqBe5NimAmarqUBGrgq6LsWp1kQ28QZg==;
flash=MTQxOTg4Mzk3NXxEdi1EQkFFQ180UUFBUkFCRUFBQUJQLUVBQUE9fKrNyW2LmqkQYwTkI9cMXz3dRF2VVQQx2C0LNCx5_UNC
Host:192.168.237.131
Referer:http://192.168.237.131/login
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/31.0.1650.63 Safari/537.36
Response Headersview source
Accept-Ranges:bytes
Cache-Control:public, max-age=300
Content-Encoding:gzip
Content-Type:application/x-javascript
Date:Mon, 29 Dec 2014 20:30:43 GMT
Last-Modified:Thu, 29 Aug 2013 13:52:00 GMT
Transfer-Encoding:chunked
Vary:Cookie
Vary:Accept-Encoding—
Reply to this email directly or view it on GitHub
#23.
oops, Ok, thanks Matt.
To clear it up: Set-Cookie will still get sent even on exempted routes, but only when the existing token in Cookie is missing or invalid: ServeHTTP() returns early only after checking the presence of the cookie.
To test whether the routes were successfully exempted, issue a POST /js/. It should not prevent the request from happening, even though the form data contains no token.
Though I think you forgot asterisks for css and js routes: a period will only match one symbol.