remove DisableCrossOriginProtection

silverwind · silverwind · commit da28335eb491 · 2025-12-18T12:08:32.000+01:00
diff --git a/routers/common/auth.go b/routers/common/auth.go
@@ -38,8 +38,7 @@ func AuthShared(ctx *context.Base, sessionStore auth_service.SessionStore, authM
 
 // VerifyOptions contains required or check options
 type VerifyOptions struct {
-	SignInRequired               bool
-	SignOutRequired              bool
-	AdminRequired                bool
-	DisableCrossOriginProtection bool
+	SignInRequired  bool
+	SignOutRequired bool
+	AdminRequired   bool
 }
diff --git a/routers/web/githttp.go b/routers/web/githttp.go
@@ -22,5 +22,5 @@ func addOwnerRepoGitHTTPRouters(m *web.Router) {
 		m.Methods("GET,OPTIONS", "/objects/{head:[0-9a-f]{2}}/{hash:[0-9a-f]{38,62}}", repo.GetLooseObject)
 		m.Methods("GET,OPTIONS", "/objects/pack/pack-{file:[0-9a-f]{40,64}}.pack", repo.GetPackFile)
 		m.Methods("GET,OPTIONS", "/objects/pack/pack-{file:[0-9a-f]{40,64}}.idx", repo.GetIdxFile)
-	}, optSignInAnyOrigin, repo.HTTPGitEnabledHandler, repo.CorsHandler(), context.UserAssignmentWeb())
+	}, repo.HTTPGitEnabledHandler, repo.CorsHandler(), context.UserAssignmentWeb())
 }
diff --git a/routers/web/web.go b/routers/web/web.go
@@ -178,7 +178,7 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Cont
 			return
 		}
 
-		if !options.SignOutRequired && !options.DisableCrossOriginProtection {
+		if !options.SignOutRequired {
 			if err := crossOrginProtection.Check(ctx.Req); err != nil {
 				http.Error(ctx.Resp, err.Error(), http.StatusForbidden)
 				return
@@ -292,8 +292,6 @@ func Routes() *web.Router {
 	return routes
 }
 
-var optSignInAnyOrigin = verifyAuthWithOptions(&common.VerifyOptions{DisableCrossOriginProtection: true})
-
 // registerWebRoutes register routes
 func registerWebRoutes(m *web.Router) {
 	// required to be signed in or signed out
@@ -489,7 +487,7 @@ func registerWebRoutes(m *web.Router) {
 	m.Post("/-/markup", reqSignIn, web.Bind(structs.MarkupOption{}), misc.Markup)
 
 	m.Get("/-/web-theme/list", misc.WebThemeList)
-	m.Post("/-/web-theme/apply", optSignInAnyOrigin, misc.WebThemeApply)
+	m.Post("/-/web-theme/apply", misc.WebThemeApply)
 
 	m.Group("/explore", func() {
 		m.Get("", func(ctx *context.Context) {
@@ -572,7 +570,7 @@ func registerWebRoutes(m *web.Router) {
 			m.Methods("POST, OPTIONS", "/access_token", web.Bind(forms.AccessTokenForm{}), auth.AccessTokenOAuth)
 			m.Methods("GET, OPTIONS", "/keys", auth.OIDCKeys)
 			m.Methods("POST, OPTIONS", "/introspect", web.Bind(forms.IntrospectTokenForm{}), auth.IntrospectOAuth)
-		}, optionsCorsHandler(), optSignInAnyOrigin)
+		}, optionsCorsHandler())
 	}, oauth2Enabled)
 
 	m.Group("/user/settings", func() {
@@ -1655,7 +1653,7 @@ func registerWebRoutes(m *web.Router) {
 		m.Post("/action/{action:accept_transfer|reject_transfer}", reqSignIn, repo.ActionTransfer)
 	}, optSignIn, context.RepoAssignment)
 
-	common.AddOwnerRepoGitLFSRoutes(m, optSignInAnyOrigin, lfsServerEnabled) // "/{username}/{reponame}/{lfs-paths}": git-lfs support
+	common.AddOwnerRepoGitLFSRoutes(m, lfsServerEnabled) // "/{username}/{reponame}/{lfs-paths}": git-lfs support
 
 	addOwnerRepoGitHTTPRouters(m) // "/{username}/{reponame}/{git-paths}": git http support
 

Original file line number	Diff line number	Diff line change
`@@ -22,5 +22,5 @@ func addOwnerRepoGitHTTPRouters(m *web.Router) {`
`22`	`22`	`m.Methods("GET,OPTIONS", "/objects/{head:[0-9a-f]{2}}/{hash:[0-9a-f]{38,62}}", repo.GetLooseObject)`
`23`	`23`	`m.Methods("GET,OPTIONS", "/objects/pack/pack-{file:[0-9a-f]{40,64}}.pack", repo.GetPackFile)`
`24`	`24`	`m.Methods("GET,OPTIONS", "/objects/pack/pack-{file:[0-9a-f]{40,64}}.idx", repo.GetIdxFile)`
`25`		`- }, optSignInAnyOrigin, repo.HTTPGitEnabledHandler, repo.CorsHandler(), context.UserAssignmentWeb())`
	`25`	`+ }, repo.HTTPGitEnabledHandler, repo.CorsHandler(), context.UserAssignmentWeb())`
`26`	`26`	`}`