refactor: remove referer checks, as they are no longer needed (replaced by csrf tokens) (#3432)

author: hesch <hesch@users.noreply.github.com> 2021-02-11 17:38:39 +0100
committer: GitHub <noreply@github.com> 2021-02-11 17:38:39 +0100
commit: 13b03b232ba9a5b3c30784adc3a8bf8f03b90f63 (patch)
tree: 118f918203c3e0eae98a8e7b6bc1ffad13b880c5 /app/FreshRSS.php
parent: 54f04e1233b59f1b62c8a79060b59c786a142792 (diff)
1 files changed, 0 insertions, 10 deletions
diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index fe55427c0..8a9a85213 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -65,16 +65,6 @@ class FreshRSS extends Minz_FrontController {
 	private static function initAuth() {
 		FreshRSS_Auth::init();
 		if (Minz_Request::isPost()) {
-			if (!is_referer_from_same_domain()) {
-				// Basic protection against XSRF attacks
-				FreshRSS_Auth::removeAccess();
-				$http_referer = empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER'];
-				self::initI18n();
-				Minz_Error::error(403, array('error' => array(
-						_t('feedback.access.denied'),
-						' [HTTP_REFERER=' . htmlspecialchars($http_referer, ENT_NOQUOTES, 'UTF-8') . ']'
-					)));
-			}
 			if (!(FreshRSS_Auth::isCsrfOk() ||
 				(Minz_Request::controllerName() === 'auth' && Minz_Request::actionName() === 'login') ||
 				(Minz_Request::controllerName() === 'user' && Minz_Request::actionName() === 'create' && !FreshRSS_Auth::hasAccess('admin')) ||
author	hesch <hesch@users.noreply.github.com>	2021-02-11 17:38:39 +0100
committer	GitHub <noreply@github.com>	2021-02-11 17:38:39 +0100
commit	13b03b232ba9a5b3c30784adc3a8bf8f03b90f63 (patch)
tree	118f918203c3e0eae98a8e7b6bc1ffad13b880c5 /app/FreshRSS.php
parent	54f04e1233b59f1b62c8a79060b59c786a142792 (diff)