diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 17:49:31 +0200 |
|---|---|---|
| committer | Alexandre Alapetite <alexandre@alapetite.fr>
| 2016-08-13 17:49:31 +0200 |
| commit | e6fd34bdda5d067a9e74714aaae10c89ed998a46 (patch) | |
| tree | 1a82e54e636f856983e8cd94ec00247eb9987b27 /lib/lib_rss.php | |
| parent | 97efdcac1e38c568b6be313120694e7201d4c69c (diff) | |
CSRF token, update HTTP Referrer policy to same-origin
https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer
https://github.com/FreshRSS/FreshRSS/issues/570
https://github.com/FreshRSS/FreshRSS/issues/955
https://github.com/FreshRSS/FreshRSS/issues/1198
https://github.com/FreshRSS/FreshRSS/issues/565
https://github.com/FreshRSS/FreshRSS/issues/554
Diffstat (limited to 'lib/lib_rss.php')
| -rw-r--r-- | lib/lib_rss.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 8196f7847..b5ba78889 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -391,7 +391,7 @@ function cryptAvailable() { function is_referer_from_same_domain() { if (empty($_SERVER['HTTP_REFERER'])) { - return false; + return true; //Accept empty referer while waiting for good support of meta referrer same-origin policy in browsers } $host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') . (empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST'])); |