From c633e2b575e9a27c52139d5c6a717dae2f73b8fe Mon Sep 17 00:00:00 2001
From: Juan Batiz-Benet <juan@benet.ai>
Date: Tue, 28 Jul 2015 07:20:05 -0700
Subject: [PATCH] cmds/http: remove referrer check

it used to be here for a CSRF check. but we now have CORS checks.

License: MIT
Signed-off-by: Juan Batiz-Benet <juan@benet.ai>
---
 commands/http/handler.go | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/commands/http/handler.go b/commands/http/handler.go
index 763da51b7..03300bf50 100644
--- a/commands/http/handler.go
+++ b/commands/http/handler.go
@@ -102,20 +102,6 @@ func (i Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 func (i internalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	log.Debug("Incoming API request: ", r.URL)
 
-	// error on external referers (to prevent CSRF attacks)
-	referer := r.Referer()
-	scheme := r.URL.Scheme
-	if len(scheme) == 0 {
-		scheme = "http"
-	}
-	host := fmt.Sprintf("%s://%s/", scheme, r.Host)
-	// empty string means the user isn't following a link (they are directly typing in the url)
-	if referer != "" && !strings.HasPrefix(referer, host) {
-		w.WriteHeader(http.StatusForbidden)
-		w.Write([]byte("403 - Forbidden"))
-		return
-	}
-
 	req, err := Parse(r, i.root)
 	if err != nil {
 		if err == ErrNotFound {