From a62f0fb0378c3d57d09ab3f0e415e6d98282e3da Mon Sep 17 00:00:00 2001
From: Tim Wundenberg <tim@wundenbergs.de>
Date: Sun, 24 Nov 2024 21:52:34 +0100
Subject: [PATCH] fix(security): remove sec-fetch filter because it prohibited
 page reloads

---
 handler/default.go             |  1 -
 middleware/sec_fetch_filter.go | 29 -----------------------------
 2 files changed, 30 deletions(-)
 delete mode 100644 middleware/sec_fetch_filter.go

diff --git a/handler/default.go b/handler/default.go
index d96d6d4..230d061 100644
--- a/handler/default.go
+++ b/handler/default.go
@@ -38,7 +38,6 @@ func GetHandler(d *sql.DB, serverSettings *types.ServerSettings) http.Handler {
 	return middleware.Wrapper(
 		router,
 		middleware.Log,
-		middleware.SecFetchFilter,
 		middleware.ContentSecurityPolicy,
 		middleware.Cors(serverSettings),
 		middleware.Corp,
diff --git a/middleware/sec_fetch_filter.go b/middleware/sec_fetch_filter.go
deleted file mode 100644
index a460862..0000000
--- a/middleware/sec_fetch_filter.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package middleware
-
-import "net/http"
-
-func SecFetchFilter(next http.Handler) http.Handler {
-
-	// A map is slower than a slice, but it's easier to check if a value exists
-	allowedSites := map[string]interface{}{
-		"same-origin": nil,
-		"none":        nil,
-	}
-
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		secFetchSite := r.Header.Get("Sec-Fetch-Site")
-
-		if secFetchSite == "" {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		_, exists := allowedSites[r.Header.Get("Sec-Fetch-Site")]
-		if exists {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		w.WriteHeader(http.StatusForbidden)
-	})
-}