[FEATURE] Custom TrustedOrigin matcher

[cody-dot-js]

Is there an existing feature request for this?

• I have searched the existing feature requests

Is your feature request related to a problem? Please describe.

I love the TrustedOrigins option, but I wish it could do more than strict equality checks.

I am working on integrating a cross-domain SPA that is hosted on vercel. We have vercel branch preview deploys turned as part of our CI/CD. The preview deploy urls have the form of https://{vercel-project-name}-git-{git-branch-name}-{vercel-team-name}.vercel.app, all lower-kebab-cased.

Since the preview urls are variable and not strictly known ahead of time, I won't be able to the strict equality check for trusted origin items against the Referer here:

csrf/csrf.go

Lines 258 to 273 in a009743

	valid := sameOrigin(r.URL, referer)
	if !valid {
	for _, trustedOrigin := range cs.opts.TrustedOrigins {
	if referer.Host == trustedOrigin {
	valid = true
	break
	}
	}
	}
	if !valid {
	r = envError(r, ErrBadReferer)
	cs.opts.ErrorHandler.ServeHTTP(w, r)
	return
	}

Describe the solution that you would like.

I would like an additional way to configure cross-domain trusted origins with a callback. It could either be a separate option that replaces the TrustedOrigins loop that checks for strict equality or a TrustedOriginPredicateFunc that you pass in as an option which gets called in place of the strict equality check.

That way users can leverage globs, regex, etc to match patterns for somewhat random subdomains, like:

https://my-vercel-project-git-enable-trusted-origins-my-vercel-team.vercel.app

Describe alternatives you have considered.

No response

Anything else?

No response