Fix CSRF & bump to v0.7.1 (#328)

wwwillchen · web-flow · commit d7b9f324ea11 · 2024-05-29T20:57:57.000-07:00
* Disable CSRF check for debug mode (to support Colab)
* Bump to v0.7.1
diff --git a/mesop/server/server.py b/mesop/server/server.py
@@ -163,7 +163,12 @@ def generate_data(ui_request: pb.UiRequest) -> Generator[str, None, None]:
   def ui_stream() -> Response:
     # Prevent CSRF by checking the request origin matches the origin
     # of the URL root (where the Flask app is being served from)
-    if not is_same_origin(request.headers.get("Origin"), request.url_root):
+    #
+    # Skip the check if it's running in debug mode because when
+    # running in Colab, the UI and HTTP requests are on different origins.
+    if not runtime().debug_mode and not is_same_origin(
+      request.headers.get("Origin"), request.url_root
+    ):
       abort(403, "Rejecting cross-site POST request to /ui")
     data = request.data
     if not data:
diff --git a/mesop/version.py b/mesop/version.py
@@ -1,6 +1,6 @@
 """Contains the version string."""
 
-VERSION = "0.7.0"
+VERSION = "0.7.1"
 
 if __name__ == "__main__":
   print(VERSION)
