domdorn · February 14, 2020 10:09
diff --git a/application.conf b/application.conf
 play.filters.csrf.header.bypassHeaders {
  Csrf-Token = "my-secret-csrf-off-switch"
 }

 play.http.filters=framework.Filters
diff --git a/Filters.scala b/Filters.scala
 package framework

 import javax.inject.Inject

 import play.api.http.HttpFilters
 import play.filters.csrf.RouteCommentExcludingCSRFFilterFacade
 import play.filters.gzip.GzipFilter

 class Filters @Inject()(
                         routeCommentExcludingCSRFFilterFacade: RouteCommentExcludingCSRFFilterFacade,
                         gzipFilter: GzipFilter
                       ) extends HttpFilters {

  val _filters = Seq(metricsFilter,
    gzipFilter,
    routeCommentExcludingCSRFFilterFacade
  )

  override def filters = _filters
 }
diff --git a/RouteCommentExcludingCSRFFilterFacade.scala b/RouteCommentExcludingCSRFFilterFacade.scala
 package play.filters.csrf

 import javax.inject.Inject

 import play.api.mvc.{EssentialAction, EssentialFilter}

 import scala.concurrent.ExecutionContext

 class RouteCommentExcludingCSRFFilterFacade @Inject()(filter: CSRFFilter)(implicit ec: ExecutionContext) extends EssentialFilter {

  override def apply(nextFilter: EssentialAction): EssentialAction = new EssentialAction {

    import play.api.mvc._

    override def apply(rh: RequestHeader) = {
      if (rh.tags.getOrElse("ROUTE_COMMENTS", "").contains("NOCSRF")) {
        // this is required for GET/HEAD requests with no prior HTTP-Request (like bingbot)
        // so they are missing a context.
        // if the rendering template is using the CSRF-token to render a form, it would blow
        // up if we're not processing it through the CSRF filter
        val copy: RequestHeader = rh.copy(headers = rh.headers.add(("Csrf-Token", "my-secret-csrf-off-switch")))
        filter.apply(nextFilter)(copy)
      } else {
        filter.apply(nextFilter)(rh)
      }
    }
  }
 }
diff --git a/routes b/routes
 #NOCSRF
 POST        /search        @controllers.SearchController.search()
	play.filters.csrf.header.bypassHeaders {
	Csrf-Token = "my-secret-csrf-off-switch"
	}

	play.http.filters=framework.Filters
	package framework

	import javax.inject.Inject

	import play.api.http.HttpFilters
	import play.filters.csrf.RouteCommentExcludingCSRFFilterFacade
	import play.filters.gzip.GzipFilter

	class Filters @Inject()(
	routeCommentExcludingCSRFFilterFacade: RouteCommentExcludingCSRFFilterFacade,
	gzipFilter: GzipFilter
	) extends HttpFilters {

	val _filters = Seq(metricsFilter,
	gzipFilter,
	routeCommentExcludingCSRFFilterFacade
	)

	override def filters = _filters
	}
	package play.filters.csrf

	import javax.inject.Inject

	import play.api.mvc.{EssentialAction, EssentialFilter}

	import scala.concurrent.ExecutionContext

	class RouteCommentExcludingCSRFFilterFacade @Inject()(filter: CSRFFilter)(implicit ec: ExecutionContext) extends EssentialFilter {

	override def apply(nextFilter: EssentialAction): EssentialAction = new EssentialAction {

	import play.api.mvc._

	override def apply(rh: RequestHeader) = {
	if (rh.tags.getOrElse("ROUTE_COMMENTS", "").contains("NOCSRF")) {
	// this is required for GET/HEAD requests with no prior HTTP-Request (like bingbot)
	// so they are missing a context.
	// if the rendering template is using the CSRF-token to render a form, it would blow
	// up if we're not processing it through the CSRF filter
	val copy: RequestHeader = rh.copy(headers = rh.headers.add(("Csrf-Token", "my-secret-csrf-off-switch")))
	filter.apply(nextFilter)(copy)
	} else {
	filter.apply(nextFilter)(rh)
	}
	}
	}
	}