admin: Enforce origin implicitly based on request headers

2026-02-14 15:32:09 -05:00 · 2026-02-11 09:52:56 -07:00 · 2026-02-11 09:52:56 -07:00 · 72ac479f5d
commit 72ac479f5d
parent 47f3e8f8dc
1 changed files with 3 additions and 1 deletions
--- a/admin.go
+++ b/admin.go
@ -849,7 +849,9 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	if h.enforceOrigin {
+	_, hasOriginHeader := r.Header["Origin"]
+	_, hasSecHeader := r.Header["Sec-Fetch-Mode"]
+	if h.enforceOrigin || hasOriginHeader || hasSecHeader {
 		// cross-site mitigation
 		origin, err := h.checkOrigin(r)
 		if err != nil {