Skip to content

meta referrer origin#1198

Merged
Alkarex merged 1 commit intoFreshRSS:devfrom
Alkarex:CSP-referrer
Aug 7, 2016
Merged

meta referrer origin#1198
Alkarex merged 1 commit intoFreshRSS:devfrom
Alkarex:CSP-referrer

Conversation

@Alkarex
Copy link
Member

@Alkarex Alkarex commented Aug 7, 2016

#955
Tested in Firefox 48, Chrome 53, Edge 25

@Alkarex
meta referrer origin
dccc2a8 
FreshRSS#955
Tested in Firefox 48, Chrome 53, Edge 25
@Alkarex Alkarex added this to the 1.5.1-beta milestone Aug 7, 2016
@Alkarex Alkarex merged commit 1f7c081 into FreshRSS:dev Aug 7, 2016
@Alkarex Alkarex deleted the CSP-referrer branch August 7, 2016 11:54
@Alkarex Alkarex mentioned this pull request Aug 7, 2016
Closed
Alkarex added a commit to Alkarex/FreshRSS that referenced this pull request Aug 13, 2016
@Alkarex
CSRF token, update HTTP Referrer policy to same-origin
e6fd34b 
https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer
FreshRSS#570
FreshRSS#955
FreshRSS#1198
FreshRSS#565
FreshRSS#554
@Alkarex Alkarex mentioned this pull request Aug 13, 2016
Merged
Alkarex added a commit to Alkarex/FreshRSS that referenced this pull request Aug 13, 2016
@Alkarex
README: Add CSRF tokens
b3963f6 
FreshRSS#570
FreshRSS#955
FreshRSS#1198
@Frenzie
Copy link
Member

Frenzie commented Sep 19, 2016

I think this may have broken the ability to update stuff in extensions, unless something went wrong for me while upgrading to 1.5.

Error 403 - Forbidden

You don’t have permission to access this page [HTTP_REFERER=]
← Go back to your RSS feeds

@Frenzie
Copy link
Member

Frenzie commented Sep 19, 2016

Specifically it's this codepath that gets executed:

FreshRSS/app/FreshRSS.php

Lines 58 to 73 in 17c8c03

private static function initAuth() {
FreshRSS_Auth::init();
if (Minz_Request::isPost() && !(is_referer_from_same_domain() && FreshRSS_Auth::isCsrfOk())) {
// Basic protection against XSRF attacks
FreshRSS_Auth::removeAccess();
$http_referer = empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER'];
Minz_Translate::init('en'); //TODO: Better choice of fallback language
Minz_Error::error(
403,
array('error' => array(
_t('feedback.access.denied'),
' [HTTP_REFERER=' . htmlspecialchars($http_referer) . ']'
))
);
}
}

@Alkarex
Copy link
Member Author

Alkarex commented Sep 19, 2016

Yes indeed. Related issue #1253
I believe the CSRF token is missing for the extensions.

@Alkarex Alkarex mentioned this pull request Sep 19, 2016
Closed
@Alkarex Alkarex mentioned this pull request Apr 1, 2025
Merged
Alkarex added a commit to Alkarex/FreshRSS that referenced this pull request Apr 1, 2025
@Alkarex
Partial revert Referrer-Policy
6ab57c1 
FreshRSS#6303 (comment)
Was already implemented conditionally
FreshRSS#1198
@Alkarex Alkarex mentioned this pull request Apr 1, 2025
Merged
Alkarex added a commit that referenced this pull request Apr 1, 2025
@Alkarex
Partial revert Referrer-Policy (#7478)
aa3867a 
#6303 (comment)
Was already implemented conditionally
#1198
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Security 🛡️

Projects

None yet

Milestone

1.5.0

Development

Successfully merging this pull request may close these issues.

2 participants

@Alkarex @Frenzie