fix(csrf): skip the trusted origins check for plain-text HTTP requests BE-11832 (#710)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>
Co-authored-by: oscarzhou <oscar.zhou@portainer.io>

api/http/middlewares/plaintext_http_request.go

@@ -0,0 +1,36 @@
+package middlewares
+
+import (
+	"net/http"
+	"slices"
+
+	"github.com/gorilla/csrf"
+)
+
+var (
+	// Idempotent (safe) methods as defined by RFC7231 section 4.2.2.
+	safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"}
+)
+
+type plainTextHTTPRequestHandler struct {
+	next http.Handler
+}
+
+func (h *plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if slices.Contains(safeMethods, r.Method) {
+		h.next.ServeHTTP(w, r)
+		return
+	}
+
+	req := r
+	// If original request was HTTPS (via proxy), keep CSRF checks.
+	if xfproto := r.Header.Get("X-Forwarded-Proto"); xfproto != "https" {
+		req = csrf.PlaintextHTTPRequest(r)
+	}
+
+	h.next.ServeHTTP(w, req)
+}
+
+func PlaintextHTTPRequest(next http.Handler) http.Handler {
+	return &plainTextHTTPRequestHandler{next: next}
+}

api/http/server.go

@@ -349,7 +349,7 @@ func (server *Server) Start() error {
 			log.Info().Str("bind_address", server.BindAddress).Msg("starting HTTP server")
 			httpServer := &http.Server{
 				Addr:     server.BindAddress,
-				Handler:  handler,
+				Handler:  middlewares.PlaintextHTTPRequest(handler),
 				ErrorLog: errorLogger,
 			}