From 0d6b9590452097781403fe1b191a9a2c9a60bcbb Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@rose-ash.com>
Date: Sat, 7 Mar 2026 09:50:23 +0000
Subject: [PATCH] Mark IO proxy endpoint as CSRF-exempt (read-only, no state
 mutation)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 shared/sx/pages.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/shared/sx/pages.py b/shared/sx/pages.py
index 46c4772..baf341f 100644
--- a/shared/sx/pages.py
+++ b/shared/sx/pages.py
@@ -563,6 +563,9 @@ def mount_io_endpoint(app: Any, service_name: str) -> None:
         if isinstance(_val, _Comp) and _val.io_refs:
             _ALLOWED_IO.update(_val.io_refs)
 
+    from shared.browser.app.csrf import csrf_exempt
+
+    @csrf_exempt
     async def io_proxy(name: str) -> Any:
         if name not in _ALLOWED_IO:
             quart_abort(403)