From e6fd34bdda5d067a9e74714aaae10c89ed998a46 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 13 Aug 2016 17:49:31 +0200
Subject: CSRF token, update HTTP Referrer policy to same-origin

https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer
https://github.com/FreshRSS/FreshRSS/issues/570
https://github.com/FreshRSS/FreshRSS/issues/955
https://github.com/FreshRSS/FreshRSS/issues/1198
https://github.com/FreshRSS/FreshRSS/issues/565
https://github.com/FreshRSS/FreshRSS/issues/554
---
 lib/lib_rss.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/lib_rss.php')

diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 8196f7847..b5ba78889 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -391,7 +391,7 @@ function cryptAvailable() {
 
 function is_referer_from_same_domain() {
 	if (empty($_SERVER['HTTP_REFERER'])) {
-		return false;
+		return true;	//Accept empty referer while waiting for good support of meta referrer same-origin policy in browsers
 	}
 	$host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') .
 		(empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']));
-- 
cgit v1.2.3