Remove CSRF protection for now, until I fix it

2024-12-28 10:34:53 +09:00 · 2016-02-17 11:49:41 +00:00 · 2016-02-17 11:49:41 +00:00 · 7ede602d1d
commit 7ede602d1d
parent 8e3675865d
2 changed files with 24 additions and 24 deletions
--- a/src/Foundation.hs
+++ b/src/Foundation.hs
@ -81,7 +81,7 @@ instance Yesod App where
    --   b) Validates that incoming write requests include that token in either a header or POST parameter.
    -- For details, see the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package.
    yesodMiddleware =
-        defaultCsrfMiddleware .
+        -- defaultCsrfMiddleware .
        -- sslOnlyMiddleware 120 .
        defaultYesodMiddleware
--- a/templates/default-layout-wrapper.hamlet
+++ b/templates/default-layout-wrapper.hamlet
@ -12,29 +12,29 @@ $newline never
    ^{pageHead pc}
-    <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.js">
+$#  <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.js">
-    <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.0.3/js.cookie.min.js">
+$#  <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.0.3/js.cookie.min.js">
-
+$#
-    <script>
+$#  <script>
-      /* The `defaultCsrfMiddleware` Middleware added in Foundation.hs adds a CSRF token the request cookies. */
+$#    /* The `defaultCsrfMiddleware` Middleware added in Foundation.hs adds a CSRF token the request cookies. */
-      /* AJAX requests should add that token to a header to be validated by the server. */
+$#    /* AJAX requests should add that token to a header to be validated by the server. */
-      /* See the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package for details. */
+$#    /* See the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package for details. */
-      var csrfHeaderName = "#{TE.decodeUtf8 $ CI.foldedCase defaultCsrfHeaderName}";
+$#    var csrfHeaderName = "#{TE.decodeUtf8 $ CI.foldedCase defaultCsrfHeaderName}";
-
+$#
-      var csrfCookieName = "#{TE.decodeUtf8 defaultCsrfCookieName}";
+$#    var csrfCookieName = "#{TE.decodeUtf8 defaultCsrfCookieName}";
-      var csrfToken = Cookies.get(csrfCookieName);
+$#    var csrfToken = Cookies.get(csrfCookieName);
-
+$#
-
+$#
-      if (csrfToken) {
+$#    if (csrfToken) {
-      \  $.ajaxPrefilter(function( options, originalOptions, jqXHR ) {
+$#    \  $.ajaxPrefilter(function( options, originalOptions, jqXHR ) {
-      \      if (!options.crossDomain) {
+$#    \      if (!options.crossDomain) {
-      \          jqXHR.setRequestHeader(csrfHeaderName, csrfToken);
+$#    \          jqXHR.setRequestHeader(csrfHeaderName, csrfToken);
-      \      }
+$#    \      }
-      \  });
+$#    \  });
-      }
+$#    }
-
+$#
-    <script>
+$#  <script>
-      document.documentElement.className = document.documentElement.className.replace(/\bno-js\b/,'js');
+$#    document.documentElement.className = document.documentElement.className.replace(/\bno-js\b/,'js');
  <body>
    <div class="container">
      <header>