CSRF token, update HTTP Referrer policy to same-origin

https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer https://github.com/FreshRSS/FreshRSS/issues/570 https://github.com/FreshRSS/FreshRSS/issues/955 https://github.com/FreshRSS/FreshRSS/issues/1198 https://github.com/FreshRSS/FreshRSS/issues/565 https://github.com/FreshRSS/FreshRSS/issues/554
author: Alexandre Alapetite <alexandre@alapetite.fr> 2016-08-13 17:49:31 +0200
committer: Alexandre Alapetite <alexandre@alapetite.fr> 2016-08-13 17:49:31 +0200
commit: e6fd34bdda5d067a9e74714aaae10c89ed998a46 (patch)
tree: 1a82e54e636f856983e8cd94ec00247eb9987b27 /app/views/auth/formLogin.phtml
parent: 97efdcac1e38c568b6be313120694e7201d4c69c (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml
index b0083944f..4bbc8ed55 100644
--- a/app/views/auth/formLogin.phtml
+++ b/app/views/auth/formLogin.phtml
@@ -6,6 +6,7 @@
 	<?php } ?>
 
 	<form id="crypto-form" method="post" action="<?php echo _url('auth', 'login'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<div>
 			<label for="username"><?php echo _t('gen.auth.username'); ?></label>
 			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" />
author	Alexandre Alapetite <alexandre@alapetite.fr>	2016-08-13 17:49:31 +0200
committer	Alexandre Alapetite <alexandre@alapetite.fr>	2016-08-13 17:49:31 +0200
commit	e6fd34bdda5d067a9e74714aaae10c89ed998a46 (patch)
tree	1a82e54e636f856983e8cd94ec00247eb9987b27 /app/views/auth/formLogin.phtml
parent	97efdcac1e38c568b6be313120694e7201d4c69c (diff)