cmd/syncthing: Enforce stricter CSRF policy on /rest GET requests

GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3137

cmd/syncthing/gui.go

@@ -397,10 +397,6 @@ func corsMiddleware(next http.Handler) http.Handler {
 	//
 	// See https://www.w3.org/TR/cors/ for details.
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Add a generous access-control-allow-origin header since we may be
-		// redirecting REST requests over protocols
-		w.Header().Add("Access-Control-Allow-Origin", "*")
-
 		// Process OPTIONS requests
 		if r.Method == "OPTIONS" {
 			// Only GET/POST Methods are supported

cmd/syncthing/gui_csrf.go

@@ -40,7 +40,8 @@ func csrfMiddleware(unique string, prefix string, cfg config.GUIConfiguration, n
 			return
 		}
 
-		// Allow requests for the front page, and set a CSRF cookie if there isn't already a valid one.
+		// Allow requests for anything not under the protected path prefix,
+		// and set a CSRF cookie if there isn't already a valid one.
 		if !strings.HasPrefix(r.URL.Path, prefix) {
 			cookie, err := r.Cookie("CSRF-Token-" + unique)
 			if err != nil || !validCsrfToken(cookie.Value) {
@@ -55,18 +56,6 @@ func csrfMiddleware(unique string, prefix string, cfg config.GUIConfiguration, n
 			return
 		}
 
-		if r.Method == "GET" {
-			// Allow GET requests unconditionally, but if we got the CSRF
-			// token cookie do the verification anyway so we keep the
-			// csrfTokens list sorted by recent usage. We don't care about the
-			// outcome of the validity check.
-			if cookie, err := r.Cookie("CSRF-Token-" + unique); err == nil {
-				validCsrfToken(cookie.Value)
-			}
-			next.ServeHTTP(w, r)
-			return
-		}
-
 		// Verify the CSRF token
 		token := r.Header.Get("X-CSRF-Token-" + unique)
 		if !validCsrfToken(token) {