Merge pull request #1210 from Alkarex/csrf-token

CSRF token, update HTTP Referrer policy to same-origin
author: Alexandre Alapetite <alexandre@alapetite.fr> 2016-08-13 19:20:36 +0200
committer: GitHub <noreply@github.com> 2016-08-13 19:20:36 +0200
commit: 7eab5a3a69d0a1ca0812c78a00fb353731ae14a7 (patch)
tree: 36fea769271878d2ad9927a26cb25aa53a799207 /app/FreshRSS.php
parent: 97efdcac1e38c568b6be313120694e7201d4c69c (diff)
parent: b3963f6ed6316745593da8a68116006a179a817e (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 20640266e..f9c371d27 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -57,7 +57,7 @@ class FreshRSS extends Minz_FrontController {
 
 	private static function initAuth() {
 		FreshRSS_Auth::init();
-		if (Minz_Request::isPost() && !is_referer_from_same_domain()) {
+		if (Minz_Request::isPost() && !(is_referer_from_same_domain() && FreshRSS_Auth::isCsrfOk())) {
 			// Basic protection against XSRF attacks
 			FreshRSS_Auth::removeAccess();
 			$http_referer = empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER'];
author	Alexandre Alapetite <alexandre@alapetite.fr>	2016-08-13 19:20:36 +0200
committer	GitHub <noreply@github.com>	2016-08-13 19:20:36 +0200
commit	7eab5a3a69d0a1ca0812c78a00fb353731ae14a7 (patch)
tree	36fea769271878d2ad9927a26cb25aa53a799207 /app/FreshRSS.php
parent	97efdcac1e38c568b6be313120694e7201d4c69c (diff)
parent	b3963f6ed6316745593da8a68116006a179a817e (diff)