From e8bbf1dcdf57f1bb3f6a279345aaded3744fa142 Mon Sep 17 00:00:00 2001
From: Matt Bell <mappum@gmail.com>
Date: Mon, 2 Feb 2015 20:16:17 -0800
Subject: [PATCH] commands/http: Made command HTTP API only accept requests
 from referers on the same server

---
 commands/http/handler.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/commands/http/handler.go b/commands/http/handler.go
index 999135a76..58e90370d 100644
--- a/commands/http/handler.go
+++ b/commands/http/handler.go
@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/http"
 	"strconv"
+	"strings"
 
 	context "github.com/jbenet/go-ipfs/Godeps/_workspace/src/code.google.com/p/go.net/context"
 
@@ -55,6 +56,20 @@ func (i Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	log.Debug("Incoming API request: ", r.URL)
 
+	// error on external referers (to prevent CSRF attacks)
+	referer := r.Referer()
+	scheme := r.URL.Scheme
+	if len(scheme) == 0 {
+		scheme = "http"
+	}
+	host := fmt.Sprintf("%s://%s/", scheme, r.Host)
+	// empty string means the user isn't following a link (they are directly typing in the url)
+	if referer != "" && !strings.HasPrefix(referer, host) {
+		w.WriteHeader(http.StatusForbidden)
+		w.Write([]byte("403 - Forbidden"))
+		return
+	}
+
 	if len(i.origin) > 0 {
 		w.Header().Set("Access-Control-Allow-Origin", i.origin)
 	}