aboutsummaryrefslogtreecommitdiff
path: root/app/layout
diff options
context:
space:
mode:
authorGravatar Alexandre Alapetite <alexandre@alapetite.fr> 2016-08-13 17:49:31 +0200
committerGravatar Alexandre Alapetite <alexandre@alapetite.fr> 2016-08-13 17:49:31 +0200
commite6fd34bdda5d067a9e74714aaae10c89ed998a46 (patch)
tree1a82e54e636f856983e8cd94ec00247eb9987b27 /app/layout
parent97efdcac1e38c568b6be313120694e7201d4c69c (diff)
CSRF token, update HTTP Referrer policy to same-origin
https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer https://github.com/FreshRSS/FreshRSS/issues/570 https://github.com/FreshRSS/FreshRSS/issues/955 https://github.com/FreshRSS/FreshRSS/issues/1198 https://github.com/FreshRSS/FreshRSS/issues/565 https://github.com/FreshRSS/FreshRSS/issues/554
Diffstat (limited to 'app/layout')
-rw-r--r--app/layout/aside_feed.phtml1
-rw-r--r--app/layout/layout.phtml2
-rw-r--r--app/layout/nav_menu.phtml1
3 files changed, 3 insertions, 1 deletions
diff --git a/app/layout/aside_feed.phtml b/app/layout/aside_feed.phtml
index 67507b88d..e8fdbf842 100644
--- a/app/layout/aside_feed.phtml
+++ b/app/layout/aside_feed.phtml
@@ -20,6 +20,7 @@
<?php } ?>
<form id="mark-read-aside" method="post">
+ <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<ul class="tree">
<li class="tree-folder category all<?php echo FreshRSS_Context::isCurrentGet('a') ? ' active' : ''; ?>">
<div class="tree-folder-title">
diff --git a/app/layout/layout.phtml b/app/layout/layout.phtml
index 2aeba40a9..189d93fbe 100644
--- a/app/layout/layout.phtml
+++ b/app/layout/layout.phtml
@@ -42,7 +42,7 @@
?>
<link rel="alternate" type="application/rss+xml" title="<?php echo $this->rss_title; ?>" href="<?php echo Minz_Url::display($url_rss); ?>" />
<?php } if (!FreshRSS_Context::$system_conf->allow_referrer) { ?>
- <meta name="referrer" content="origin" />
+ <meta name="referrer" content="never" />
<?php } if (FreshRSS_Context::$system_conf->allow_robots) { ?>
<meta name="description" content="<?php echo htmlspecialchars(FreshRSS_Context::$name . ' | ' . FreshRSS_Context::$description, ENT_COMPAT, 'UTF-8'); ?>" />
<?php } else { ?>
diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml
index 92268ff67..17655acbf 100644
--- a/app/layout/nav_menu.phtml
+++ b/app/layout/nav_menu.phtml
@@ -88,6 +88,7 @@
type="submit"><?php echo _t('gen.action.mark_read'); ?></button>
<div class="dropdown">
+ <input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
<div id="dropdown-read" class="dropdown-target"></div>
<a class="dropdown-toggle btn" href="#dropdown-read"><?php echo _i('down'); ?></a>
generated by cgit v1.2.3 (git 2.39.1) at 2026-04-24 12:35:55 +0000