From d65bbf2113a165bd495a27377ae911df35eda58a Mon Sep 17 00:00:00 2001
From: Jakob Borg <jakob@nym.se>
Date: Sat, 2 Aug 2014 08:19:10 +0200
Subject: [PATCH] Allow GET requests without CSRF

---
 cmd/syncthing/gui_csrf.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cmd/syncthing/gui_csrf.go b/cmd/syncthing/gui_csrf.go
index ee8ee39d8..b31e99935 100644
--- a/cmd/syncthing/gui_csrf.go
+++ b/cmd/syncthing/gui_csrf.go
@@ -43,6 +43,12 @@ func csrfMiddleware(prefix string, next http.Handler) http.Handler {
 			return
 		}
 
+		if r.Method == "GET" {
+			// Allow GET requests unconditionally
+			next.ServeHTTP(w, r)
+			return
+		}
+
 		// Verify the CSRF token
 		token := r.Header.Get("X-CSRF-Token")
 		if !validCsrfToken(token) {