diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py
index 35dee601..0a5f1e4d 100644
--- a/confluent_server/confluent/httpapi.py
+++ b/confluent_server/confluent/httpapi.py
@@ -216,11 +216,17 @@ def _should_skip_authlog(env):
         return True
     return False
 
+
+def _csrf_exempt(path):
+    # first a get of info to get CSRF key, also '/forward/web' to enable
+    # the popup ability to just forward
+    return path == '/sessions/current/info' or path.endswith('/forward/web')
+
+
 def _csrf_valid(env, session):
     # This could be simplified into a statement, but this is more readable
     # to have it broken out
-    if (env['REQUEST_METHOD'] == 'GET' and
-            env['PATH_INFO'] == '/sessions/current/info'):
+    if (env['REQUEST_METHOD'] == 'GET' and _csrf_exmept(env['PATH_INFO']):
         # Provide a web client a safe hook to request the CSRF token
         # This means that we consider GET of /sessions/current/info to be
         # a safe thing to inflict via CSRF, since CORS should prevent