@@ -15,19 +15,6 @@ const (
1515 ACACredentials = "Access-Control-Allow-Credentials"
1616)
1717
18- // disallowedUserAgents specifies a denylist of user agents that are not
19- // allowed to perform POST requests if they are not providing Origin
20- // and/or Referer headers. As mitigation for things like
21- // https://bugzilla.mozilla.org/show_bug.cgi?id=429594. Defaults to
22- // Firefox-related things. The matching against the user-agent string
23- // is made with strings.Contains().
24- var disallowedUserAgents = []string {
25- "Firefox" ,
26- "Focus" ,
27- "Klar" ,
28- "FxiOS" ,
29- }
30-
3118type ServerConfig struct {
3219 // APIPath is the prefix of all request paths.
3320 // Example: host:port/api/v0/add. Here the APIPath is /api/v0
@@ -191,12 +178,15 @@ func allowUserAgent(r *http.Request, cfg *ServerConfig) bool {
191178 return true
192179 }
193180
194- // If not, check that request is not from a blacklisted UA.
181+ // Allow if the user agent does not start with Mozilla... (i.e. curl)
195182 ua := r .Header .Get ("User-agent" )
196- for _ , forbiddenUA := range disallowedUserAgents {
197- if strings .Contains (ua , forbiddenUA ) {
198- return false
199- }
183+ if ! strings .HasPrefix (ua , "Mozilla" ) {
184+ return true
200185 }
201- return true
186+
187+ // Disallow otherwise.
188+ //
189+ // This means the request probably came from a browser and thus, it
190+ // should have included Origin or referer headers.
191+ return false
202192}
0 commit comments