From 6266b86998718074b13b779e4f733485e2d39324 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sun, 7 Aug 2016 20:33:34 +0200
Subject: Apache Etag issue

A -gzip suffix seems to be added and not removed somewhere in the Apache
+ PHP7 stack, which caused the caching to fail (the 304 Not Modified
responses were not working anymore).
Related to https://bz.apache.org/bugzilla/show_bug.cgi?id=39727
---
 lib/http-conditional.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'lib')

diff --git a/lib/http-conditional.php b/lib/http-conditional.php
index 59fbef41f..6d3a0a97f 100644
--- a/lib/http-conditional.php
+++ b/lib/http-conditional.php
@@ -35,12 +35,12 @@
   ... //Rest of the script, just as you would do normally.
  ?>
 
- Version 1.7 beta, 2013-12-02, http://alexandre.alapetite.fr/doc-alex/php-http-304/
+ Version 1.8 beta, 2016-08-07, http://alexandre.alapetite.fr/doc-alex/php-http-304/
 
  ------------------------------------------------------------------
  Written by Alexandre Alapetite, http://alexandre.alapetite.fr/cv/
 
- Copyright 2004-2013, Licence: Creative Commons "Attribution-ShareAlike 2.0 France" BY-SA (FR),
+ Copyright 2004-2016, Licence: Creative Commons "Attribution-ShareAlike 2.0 France" BY-SA (FR),
  http://creativecommons.org/licenses/by-sa/2.0/fr/
  http://alexandre.alapetite.fr/divers/apropos/#by-sa
  - Attribution. You must give the original author credit
@@ -96,7 +96,8 @@ function httpConditional($UnixTimeStamp,$cacheSeconds=0,$cachePrivacy=0,$feedMod
 	if ((!$is412)&&isset($_SERVER['HTTP_IF_MATCH']))
 	{//rfc2616-sec14.html#sec14.24
 		$etagsClient=stripslashes($_SERVER['HTTP_IF_MATCH']);
-		$is412=(($etagClient!=='*')&&(strpos($etagsClient,$etagServer)===false));
+		$etagsClient=str_ireplace('-gzip','',$etagsClient);
+		$is412=(($etagsClient!=='*')&&(strpos($etagsClient,$etagServer)===false));
 	}
 	if ($is304&&isset($_SERVER['HTTP_IF_MODIFIED_SINCE']))
 	{//rfc2616-sec14.html#sec14.25 //rfc1945.txt
@@ -111,6 +112,7 @@ function httpConditional($UnixTimeStamp,$cacheSeconds=0,$cachePrivacy=0,$feedMod
 	{//rfc2616-sec14.html#sec14.26
 		$nbCond++;
 		$etagClient=stripslashes($_SERVER['HTTP_IF_NONE_MATCH']);
+		$etagClient=str_ireplace('-gzip','',$etagClient);
 		$is304=(($etagClient===$etagServer)||($etagClient==='*'));
 	}
 	if ((!$is412)&&isset($_SERVER['HTTP_IF_UNMODIFIED_SINCE']))
-- 
cgit v1.2.3


From 29d79185880f361545cf08b9faa4c755206c296e Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Thu, 11 Aug 2016 22:44:42 +0200
Subject: Support for OPML 2.0 category attribute

https://github.com/FreshRSS/FreshRSS/issues/1202
---
 CHANGELOG.md     |  2 ++
 README.fr.md     |  1 +
 README.md        |  1 +
 lib/lib_opml.php | 31 ++++++++++++++++++++++++++++++-
 4 files changed, 34 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 601bc9d4b..017bd6e1a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,12 +16,14 @@
 	* Fixed scroll in log view [#1178](https://github.com/FreshRSS/FreshRSS/issues/1178)
 	* Fixed JavaScript bug when articles were not always marked as read [#1123](https://github.com/FreshRSS/FreshRSS/issues/1123)
 	* Fixed Apache Etag issue that prevented caching [#1199](https://github.com/FreshRSS/FreshRSS/pull/1199)
+	* Fixed OPML import of categories [#1202](https://github.com/FreshRSS/FreshRSS/issues/1202)
 * UI
 	* Updated to jQuery 3.1.0 and several JavaScript fixes (e.g. drag & drop) [#1197](https://github.com/FreshRSS/FreshRSS/pull/1197)
 * API
 	* Add API link in FreshRSS profile settings to ease set-up [#1186](https://github.com/FreshRSS/FreshRSS/pull/1186)
 * Mics.
 	* JSHint of JavaScript code and better initialisation [#1196](https://github.com/FreshRSS/FreshRSS/pull/1196)
+	* Updated credits, and images in README [#1201](https://github.com/FreshRSS/FreshRSS/issues/1201)
 
 
 ## 2016-07-23 FreshRSS 1.4.0
diff --git a/README.fr.md b/README.fr.md
index a53653286..8324b9657 100644
--- a/README.fr.md
+++ b/README.fr.md
@@ -125,6 +125,7 @@ mysqldump -u utilisateur -p --databases freshrss > freshrss.sql
 * [php-http-304](http://alexandre.alapetite.fr/doc-alex/php-http-304/)
 * [jQuery](http://jquery.com/)
 * [ArthurHoaro/favicon](https://github.com/ArthurHoaro/favicon)
+* [lib_opml](https://github.com/marienfressinaud/lib_opml)
 * [keyboard_shortcuts](http://www.openjs.com/scripts/events/keyboard_shortcuts/)
 * [flotr2](http://www.humblesoftware.com/flotr2)
 
diff --git a/README.md b/README.md
index 1c9f89c78..844967f4f 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,7 @@ mysqldump -u user -p --databases freshrss > freshrss.sql
 * [php-http-304](http://alexandre.alapetite.fr/doc-alex/php-http-304/)
 * [jQuery](http://jquery.com/)
 * [ArthurHoaro/favicon](https://github.com/ArthurHoaro/favicon)
+* [lib_opml](https://github.com/marienfressinaud/lib_opml)
 * [keyboard_shortcuts](http://www.openjs.com/scripts/events/keyboard_shortcuts/)
 * [flotr2](http://www.humblesoftware.com/flotr2)
 
diff --git a/lib/lib_opml.php b/lib/lib_opml.php
index 66b854313..0414868fb 100644
--- a/lib/lib_opml.php
+++ b/lib/lib_opml.php
@@ -12,7 +12,7 @@
  *
  * @author   Marien Fressinaud <dev@marienfressinaud.fr>
  * @link     https://github.com/marienfressinaud/lib_opml
- * @version  0.2
+ * @version  0.2-FreshRSS~1.5.1
  * @license  public domain
  *
  * Usages:
@@ -123,6 +123,32 @@ function libopml_parse_outline($outline_xml, $strict = true) {
 	return $outline;
 }
 
+/**
+ * Reformat the XML document as a hierarchy when
+ * the OPML 2.0 category attribute is used
+ */
+function preprocessing_categories($doc) {
+	$outline_categories = [];
+	$body = $doc->getElementsByTagName('body')->item(0);
+	$xpath = new DOMXpath($doc);
+	$outlines = $xpath->query("/opml/body/outline[@category]");
+	foreach ($outlines as $outline) {
+		$category = trim($outline->getAttribute('category'));
+		if ($category != '') {
+			$outline_categorie = null;
+			if (!isset($outline_categories[$category])) {
+				$outline_categorie = $doc->createElement('outline');
+				$outline_categorie->setAttribute('text', $category);
+				$body->insertBefore($outline_categorie, $body->firstChild);
+				$outline_categories[$category] = $outline_categorie;
+			} else {
+				$outline_categorie = $outline_categories[$category];
+			}
+			$outline->parentNode->removeChild($outline);
+			$outline_categorie->appendChild($outline);
+		}
+	}
+}
 
 /**
  * Parse a string as a XML one and returns the corresponding array
@@ -140,6 +166,9 @@ function libopml_parse_string($xml, $strict = true) {
 	$dom->loadXML($xml);
 	$dom->encoding = 'UTF-8';
 
+	//Partial compatibility with the category attribute of OPML 2.0
+	preprocessing_categories($dom);
+
 	$opml = simplexml_import_dom($dom);
 
 	if (!$opml) {
-- 
cgit v1.2.3


From 2c92860310d389f33fe7a10011e2a3921883b7bc Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Thu, 11 Aug 2016 23:13:28 +0200
Subject: Minor quotes

---
 lib/lib_opml.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/lib_opml.php b/lib/lib_opml.php
index 0414868fb..a3af54596 100644
--- a/lib/lib_opml.php
+++ b/lib/lib_opml.php
@@ -131,7 +131,7 @@ function preprocessing_categories($doc) {
 	$outline_categories = [];
 	$body = $doc->getElementsByTagName('body')->item(0);
 	$xpath = new DOMXpath($doc);
-	$outlines = $xpath->query("/opml/body/outline[@category]");
+	$outlines = $xpath->query('/opml/body/outline[@category]');
 	foreach ($outlines as $outline) {
 		$category = trim($outline->getAttribute('category'));
 		if ($category != '') {
-- 
cgit v1.2.3


From 40f1873de790b28890d65263ec1f8426121ae951 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Fri, 12 Aug 2016 18:43:32 +0200
Subject: OPML compatibility PHP 5.3

https://github.com/FreshRSS/FreshRSS/issues/1202
https://github.com/FreshRSS/FreshRSS/pull/1206
---
 lib/lib_opml.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/lib_opml.php b/lib/lib_opml.php
index a3af54596..b89e92977 100644
--- a/lib/lib_opml.php
+++ b/lib/lib_opml.php
@@ -128,7 +128,7 @@ function libopml_parse_outline($outline_xml, $strict = true) {
  * the OPML 2.0 category attribute is used
  */
 function preprocessing_categories($doc) {
-	$outline_categories = [];
+	$outline_categories = array();
 	$body = $doc->getElementsByTagName('body')->item(0);
 	$xpath = new DOMXpath($doc);
 	$outlines = $xpath->query('/opml/body/outline[@category]');
-- 
cgit v1.2.3


From e6fd34bdda5d067a9e74714aaae10c89ed998a46 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Sat, 13 Aug 2016 17:49:31 +0200
Subject: CSRF token, update HTTP Referrer policy to same-origin

https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer
https://github.com/FreshRSS/FreshRSS/issues/570
https://github.com/FreshRSS/FreshRSS/issues/955
https://github.com/FreshRSS/FreshRSS/issues/1198
https://github.com/FreshRSS/FreshRSS/issues/565
https://github.com/FreshRSS/FreshRSS/issues/554
---
 app/FreshRSS.php                        |  2 +-
 app/Models/Auth.php                     | 21 +++++++++++++
 app/layout/aside_feed.phtml             |  1 +
 app/layout/layout.phtml                 |  2 +-
 app/layout/nav_menu.phtml               |  1 +
 app/views/auth/formLogin.phtml          |  1 +
 app/views/auth/index.phtml              |  1 +
 app/views/auth/register.phtml           | 55 +++++++++++++++++----------------
 app/views/configure/archiving.phtml     |  2 ++
 app/views/configure/display.phtml       |  1 +
 app/views/configure/queries.phtml       |  1 +
 app/views/configure/reading.phtml       |  1 +
 app/views/configure/sharing.phtml       |  1 +
 app/views/configure/shortcut.phtml      |  1 +
 app/views/configure/system.phtml        |  1 +
 app/views/extension/index.phtml         |  1 +
 app/views/feed/add.phtml                |  1 +
 app/views/helpers/feed/update.phtml     |  1 +
 app/views/helpers/javascript_vars.phtml |  1 +
 app/views/helpers/pagination.phtml      |  1 +
 app/views/importExport/index.phtml      |  2 ++
 app/views/index/logs.phtml              |  1 +
 app/views/stats/idle.phtml              |  1 +
 app/views/subscription/index.phtml      |  7 ++++-
 app/views/user/manage.phtml             |  2 ++
 app/views/user/profile.phtml            |  2 ++
 lib/lib_rss.php                         |  2 +-
 p/scripts/main.js                       | 13 ++++++--
 28 files changed, 94 insertions(+), 33 deletions(-)

(limited to 'lib')

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 20640266e..f9c371d27 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -57,7 +57,7 @@ class FreshRSS extends Minz_FrontController {
 
 	private static function initAuth() {
 		FreshRSS_Auth::init();
-		if (Minz_Request::isPost() && !is_referer_from_same_domain()) {
+		if (Minz_Request::isPost() && !(is_referer_from_same_domain() && FreshRSS_Auth::isCsrfOk())) {
 			// Basic protection against XSRF attacks
 			FreshRSS_Auth::removeAccess();
 			$http_referer = empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER'];
diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index d689f7cdb..f0e8db5a2 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -124,6 +124,7 @@ class FreshRSS_Auth {
 		self::$login_ok = false;
 		$conf = Minz_Configuration::get('system');
 		Minz_Session::_param('currentUser', $conf->default_user);
+		Minz_Session::_param('csrf');
 
 		switch ($conf->auth_type) {
 		case 'form':
@@ -156,6 +157,26 @@ class FreshRSS_Auth {
 		$auth_type = $conf->auth_type;
 		return $auth_type === 'form';
 	}
+
+	public static function csrfToken() {
+		$csrf = Minz_Session::param('csrf');
+		if ($csrf == '') {
+			$salt = FreshRSS_Context::$system_conf->salt;
+			$csrf = sha1($salt . uniqid(mt_rand(), true));
+			Minz_Session::_param('csrf', $csrf);
+		}
+		return $csrf;
+	}
+	public static function isCsrfOk($token = null) {
+		$csrf = Minz_Session::param('csrf');
+		if ($csrf == '') {
+			return true;	//Not logged in yet
+		}
+		if ($token === null) {
+			$token = Minz_Request::param('_csrf');
+		}
+		return $token === $csrf;
+	}
 }
 
 
diff --git a/app/layout/aside_feed.phtml b/app/layout/aside_feed.phtml
index 67507b88d..e8fdbf842 100644
--- a/app/layout/aside_feed.phtml
+++ b/app/layout/aside_feed.phtml
@@ -20,6 +20,7 @@
 	<?php } ?>
 
 	<form id="mark-read-aside" method="post">
+	<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 	<ul class="tree">
 		<li class="tree-folder category all<?php echo FreshRSS_Context::isCurrentGet('a') ? ' active' : ''; ?>">
 			<div class="tree-folder-title">
diff --git a/app/layout/layout.phtml b/app/layout/layout.phtml
index 2aeba40a9..189d93fbe 100644
--- a/app/layout/layout.phtml
+++ b/app/layout/layout.phtml
@@ -42,7 +42,7 @@
 ?>
 		<link rel="alternate" type="application/rss+xml" title="<?php echo $this->rss_title; ?>" href="<?php echo Minz_Url::display($url_rss); ?>" />
 <?php } if (!FreshRSS_Context::$system_conf->allow_referrer) { ?>
-		<meta name="referrer" content="origin" />
+		<meta name="referrer" content="never" />
 <?php } if (FreshRSS_Context::$system_conf->allow_robots) { ?>
 		<meta name="description" content="<?php echo htmlspecialchars(FreshRSS_Context::$name . ' | ' . FreshRSS_Context::$description, ENT_COMPAT, 'UTF-8'); ?>" />
 <?php } else { ?>
diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml
index 92268ff67..17655acbf 100644
--- a/app/layout/nav_menu.phtml
+++ b/app/layout/nav_menu.phtml
@@ -88,6 +88,7 @@
 		        type="submit"><?php echo _t('gen.action.mark_read'); ?></button>
 
 		<div class="dropdown">
+			<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 			<div id="dropdown-read" class="dropdown-target"></div>
 
 			<a class="dropdown-toggle btn" href="#dropdown-read"><?php echo _i('down'); ?></a>
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml
index b0083944f..4bbc8ed55 100644
--- a/app/views/auth/formLogin.phtml
+++ b/app/views/auth/formLogin.phtml
@@ -6,6 +6,7 @@
 	<?php } ?>
 
 	<form id="crypto-form" method="post" action="<?php echo _url('auth', 'login'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<div>
 			<label for="username"><?php echo _t('gen.auth.username'); ?></label>
 			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" />
diff --git a/app/views/auth/index.phtml b/app/views/auth/index.phtml
index 8f81ac856..74e692ec5 100644
--- a/app/views/auth/index.phtml
+++ b/app/views/auth/index.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('auth', 'index'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('admin.auth.type'); ?></legend>
 
 		<div class="form-group">
diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml
index 0c261319a..1f9976391 100644
--- a/app/views/auth/register.phtml
+++ b/app/views/auth/register.phtml
@@ -1,33 +1,34 @@
 <div class="prompt">
-    <h1><?php echo _t('gen.auth.registration'); ?></h1>
+	<h1><?php echo _t('gen.auth.registration'); ?></h1>
 
-    <form method="post" action="<?php echo _url('user', 'create'); ?>">
-        <div>
-            <label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label>
-            <input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" />
-        </div>
+	<form method="post" action="<?php echo _url('user', 'create'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
+		<div>
+			<label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label>
+			<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" />
+		</div>
 
-        <div>
-            <label class="group-name" for="new_user_passwordPlain"><?php echo _t('gen.auth.password'), '<br />', _i('help'), ' ', _t('gen.auth.password.format'); ?></label>
-            <div class="stick">
-                <input type="password" id="new_user_passwordPlain" name="new_user_passwordPlain" required="required" autocomplete="off" pattern=".{7,}" />
-                <a class="btn toggle-password" data-toggle="new_user_passwordPlain"><?php echo _i('key'); ?></a>
-            </div>
-            <noscript><b><?php echo _t('gen.js.should_be_activated'); ?></b></noscript>
-        </div>
+		<div>
+			<label class="group-name" for="new_user_passwordPlain"><?php echo _t('gen.auth.password'), '<br />', _i('help'), ' ', _t('gen.auth.password.format'); ?></label>
+			<div class="stick">
+				<input type="password" id="new_user_passwordPlain" name="new_user_passwordPlain" required="required" autocomplete="off" pattern=".{7,}" />
+				<a class="btn toggle-password" data-toggle="new_user_passwordPlain"><?php echo _i('key'); ?></a>
+			</div>
+			<noscript><b><?php echo _t('gen.js.should_be_activated'); ?></b></noscript>
+		</div>
 
-        <div>
-            <?php
-                $redirect_url = urlencode(Minz_Url::display(
-                    array('c' => 'index', 'a' => 'index'),
-                    'php', true
-                ));
-            ?>
-            <input type="hidden" name="r" value="<?php echo $redirect_url; ?>" />
-            <button type="submit" class="btn btn-important"><?php echo _t('gen.action.create'); ?></button>
-            <a class="btn" href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.cancel'); ?></a>
-        </div>
-    </form>
+		<div>
+			<?php
+				$redirect_url = urlencode(Minz_Url::display(
+					array('c' => 'index', 'a' => 'index'),
+					'php', true
+				));
+			?>
+			<input type="hidden" name="r" value="<?php echo $redirect_url; ?>" />
+			<button type="submit" class="btn btn-important"><?php echo _t('gen.action.create'); ?></button>
+			<a class="btn" href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.cancel'); ?></a>
+		</div>
+	</form>
 
-    <p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('gen.freshrss.about'); ?></a></p>
+	<p><a href="<?php echo _url('index', 'about'); ?>"><?php echo _t('gen.freshrss.about'); ?></a></p>
 </div>
diff --git a/app/views/configure/archiving.phtml b/app/views/configure/archiving.phtml
index 52ee98a48..2254f5dba 100644
--- a/app/views/configure/archiving.phtml
+++ b/app/views/configure/archiving.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('configure', 'archiving'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('conf.archiving'); ?></legend>
 		<p><?php echo _i('help'); ?> <?php echo _t('conf.archiving.help'); ?></p>
 
@@ -55,6 +56,7 @@
 	</form>
 
 	<form method="post" action="<?php echo _url('entry', 'optimize'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('conf.archiving.advanced'); ?></legend>
 
 		<div class="form-group">
diff --git a/app/views/configure/display.phtml b/app/views/configure/display.phtml
index db6d7951c..62ecc1080 100644
--- a/app/views/configure/display.phtml
+++ b/app/views/configure/display.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('configure', 'display'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('conf.display'); ?></legend>
 
 		<div class="form-group">
diff --git a/app/views/configure/queries.phtml b/app/views/configure/queries.phtml
index 50df4cfea..0dffa268d 100644
--- a/app/views/configure/queries.phtml
+++ b/app/views/configure/queries.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('configure', 'queries'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('conf.query'); ?></legend>
 
 		<?php foreach ($this->queries as $key => $query) { ?>
diff --git a/app/views/configure/reading.phtml b/app/views/configure/reading.phtml
index 9c54b6bd5..07dabf15f 100644
--- a/app/views/configure/reading.phtml
+++ b/app/views/configure/reading.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('configure', 'reading'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('conf.reading'); ?></legend>
 
 		<div class="form-group">
diff --git a/app/views/configure/sharing.phtml b/app/views/configure/sharing.phtml
index 7bf435777..0dad5bf6d 100644
--- a/app/views/configure/sharing.phtml
+++ b/app/views/configure/sharing.phtml
@@ -15,6 +15,7 @@
 			<a href="#" class="remove btn btn-attention" data-remove="group-share-##key##"><?php echo _i('close'); ?></a></div>
 			<a target="_blank" class="btn" title="<?php echo _t('conf.sharing.more_information'); ?>" href="##help##"><?php echo _i('help'); ?></a>
 			</div></div>'>
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('conf.sharing'); ?></legend>
 		<?php
 			foreach (FreshRSS_Context::$user_conf->sharing as $key => $share_options) {
diff --git a/app/views/configure/shortcut.phtml b/app/views/configure/shortcut.phtml
index 264a5f805..dceeb17de 100644
--- a/app/views/configure/shortcut.phtml
+++ b/app/views/configure/shortcut.phtml
@@ -12,6 +12,7 @@
 	<?php $s = FreshRSS_Context::$user_conf->shortcuts; ?>
 
 	<form method="post" action="<?php echo _url('configure', 'shortcut'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('conf.shortcut'); ?></legend>
 
 		<noscript><p class="alert alert-error"><?php echo _t('conf.shortcut.javascript'); ?></p></noscript>
diff --git a/app/views/configure/system.phtml b/app/views/configure/system.phtml
index 4af669eb0..935b49fda 100644
--- a/app/views/configure/system.phtml
+++ b/app/views/configure/system.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('configure', 'system'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('admin.system'); ?></legend>
 
 		<div class="form-group">
diff --git a/app/views/extension/index.phtml b/app/views/extension/index.phtml
index b26334937..7cb16bfff 100644
--- a/app/views/extension/index.phtml
+++ b/app/views/extension/index.phtml
@@ -6,6 +6,7 @@
 	<h1><?php echo _t('admin.extensions.title'); ?></h1>
 
 	<form id="form-extension" method="post">
+	<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 	<?php if (!empty($this->extension_list['system'])) { ?>
 	<h2><?php echo _t('admin.extensions.system'); ?></h2>
 	<?php
diff --git a/app/views/feed/add.phtml b/app/views/feed/add.phtml
index fd6d41b1d..caf685d79 100644
--- a/app/views/feed/add.phtml
+++ b/app/views/feed/add.phtml
@@ -7,6 +7,7 @@
 	<?php } ?>
 
 	<form method="post" action="<?php echo _url('feed', 'add'); ?>" autocomplete="off">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('sub.feed.informations'); ?></legend>
 		<?php if ($this->load_ok) { ?>
 		<div class="form-group">
diff --git a/app/views/helpers/feed/update.phtml b/app/views/helpers/feed/update.phtml
index 72084d8fa..b7e8f68cd 100644
--- a/app/views/helpers/feed/update.phtml
+++ b/app/views/helpers/feed/update.phtml
@@ -18,6 +18,7 @@
 	<?php } ?>
 
 	<form method="post" action="<?php echo _url('subscription', 'feed', 'id', $this->feed->id()); ?>" autocomplete="off">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('sub.feed.informations'); ?></legend>
 		<div class="form-group">
 			<label class="group-name" for="name"><?php echo _t('sub.feed.title'); ?></label>
diff --git a/app/views/helpers/javascript_vars.phtml b/app/views/helpers/javascript_vars.phtml
index 1aa43a207..745baa195 100644
--- a/app/views/helpers/javascript_vars.phtml
+++ b/app/views/helpers/javascript_vars.phtml
@@ -16,6 +16,7 @@ echo htmlspecialchars(json_encode(array(
 		'html5_notif_timeout' => FreshRSS_Context::$user_conf->html5_notif_timeout,
 		'auth_type' => FreshRSS_Context::$system_conf->auth_type,
 		'current_view' => Minz_Request::actionName(),
+		'csrf' => FreshRSS_Auth::csrfToken(),
 	),
 	'shortcuts' => array(
 		'mark_read' => @$s['mark_read'],
diff --git a/app/views/helpers/pagination.phtml b/app/views/helpers/pagination.phtml
index d1c3cc72c..23c45114d 100755
--- a/app/views/helpers/pagination.phtml
+++ b/app/views/helpers/pagination.phtml
@@ -15,6 +15,7 @@
 ?>
 
 <form id="mark-read-pagination" method="post">
+<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 <ul class="pagination">
 	<li class="item pager-next">
 	<?php if (FreshRSS_Context::$next_id) { ?>
diff --git a/app/views/importExport/index.phtml b/app/views/importExport/index.phtml
index a64524bf1..c0bc412c3 100644
--- a/app/views/importExport/index.phtml
+++ b/app/views/importExport/index.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('importExport', 'import'); ?>" enctype="multipart/form-data">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('sub.import_export.import'); ?></legend>
 		<div class="form-group">
 			<label class="group-name" for="file">
@@ -23,6 +24,7 @@
 
 	<?php if (count($this->feeds) > 0) { ?>
 	<form method="post" action="<?php echo _url('importExport', 'export'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('sub.import_export.export'); ?></legend>
 		<div class="form-group">
 			<div class="group-controls">
diff --git a/app/views/index/logs.phtml b/app/views/index/logs.phtml
index 0938491c3..a88f89278 100644
--- a/app/views/index/logs.phtml
+++ b/app/views/index/logs.phtml
@@ -3,6 +3,7 @@
 
 	<h1><?php echo _t('index.log'); ?></h1>
 	<form method="post" action="<?php echo _url('index', 'logs'); ?>"><p>
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<input type="hidden" name="clearLogs" />
 		<button type="submit" class="btn"><?php echo _t('index.log.clear'); ?></button>
 	</p></form>
diff --git a/app/views/stats/idle.phtml b/app/views/stats/idle.phtml
index 8c5f182c2..88c78d465 100644
--- a/app/views/stats/idle.phtml
+++ b/app/views/stats/idle.phtml
@@ -19,6 +19,7 @@
 			<h2><?php echo _t('gen.date.' . $period); ?></h2>
 
 			<form id="form-delete" method="post">
+			<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 			<?php foreach ($feeds as $feed) { ?>
 			<ul class="horizontal-list">
 				<li class="item">
diff --git a/app/views/subscription/index.phtml b/app/views/subscription/index.phtml
index 07cebf817..48f760d3e 100644
--- a/app/views/subscription/index.phtml
+++ b/app/views/subscription/index.phtml
@@ -6,6 +6,7 @@
 	<h2><?php echo _t('sub.title'); ?></h2>
 
 	<form id="add_rss" method="post" action="<?php echo _url('feed', 'add'); ?>" autocomplete="off">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<div class="stick">
 			<input type="url" name="url_rss" class="long" placeholder="<?php echo _t('sub.feed.add'); ?>" />
 			<div class="dropdown">
@@ -56,13 +57,16 @@
 
 		<ul class="box-content box-content-centered">
 			<form action="<?php echo _url('category', 'create'); ?>" method="post">
+				<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 				<li class="item"><input type="text" id="new-category" name="new-category" placeholder="<?php echo _t('sub.category.new'); ?>" /></li>
 				<li class="item"><button class="btn btn-important" type="submit"><?php echo _t('gen.action.submit'); ?></button></li>
 			</form>
 		</ul>
 	</div>
 
-	<form id="controller-category" method="post" aria-hidden="true"></form>
+	<form id="controller-category" method="post" aria-hidden="true">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
+	</form>
 
 	<?php
 		foreach ($this->categories as $cat) {
@@ -71,6 +75,7 @@
 	<div class="box">
 		<div class="box-title">
 			<form action="<?php echo _url('category', 'update', 'id', $cat->id()); ?>" method="post">
+				<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 				<input type="text" name="name" value="<?php echo $cat->name(); ?>" />
 
 				<div class="dropdown">
diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml
index e48841d9b..aab3aa4c4 100644
--- a/app/views/user/manage.phtml
+++ b/app/views/user/manage.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('user', 'create'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('admin.user.create'); ?></legend>
 
 		<div class="form-group">
@@ -46,6 +47,7 @@
 	</form>
 
 	<form method="post" action="<?php echo _url('user', 'delete'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('admin.user.users'); ?></legend>
 
 		<div class="form-group">
diff --git a/app/views/user/profile.phtml b/app/views/user/profile.phtml
index 51a5aed2f..429375e44 100644
--- a/app/views/user/profile.phtml
+++ b/app/views/user/profile.phtml
@@ -4,6 +4,7 @@
 	<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 
 	<form method="post" action="<?php echo _url('user', 'profile'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('conf.profile'); ?></legend>
 
 		<div class="form-group">
@@ -52,6 +53,7 @@
 
 	<?php if (!FreshRSS_Auth::hasAccess('admin')) { ?>
 	<form id="crypto-form" method="post" action="<?php echo _url('user', 'delete'); ?>">
+		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<legend><?php echo _t('conf.profile.delete'); ?></legend>
 
 		<p class="alert alert-warn"><span class="alert-head"><?php echo _t('gen.short.attention'); ?></span> <?php echo _t('conf.profile.delete.warn'); ?></p>
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 8196f7847..b5ba78889 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -391,7 +391,7 @@ function cryptAvailable() {
 
 function is_referer_from_same_domain() {
 	if (empty($_SERVER['HTTP_REFERER'])) {
-		return false;
+		return true;	//Accept empty referer while waiting for good support of meta referrer same-origin policy in browsers
 	}
 	$host = parse_url(((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') ? 'https://' : 'http://') .
 		(empty($_SERVER['HTTP_HOST']) ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']));
diff --git a/p/scripts/main.js b/p/scripts/main.js
index 62f0fbb1a..89edc54e5 100644
--- a/p/scripts/main.js
+++ b/p/scripts/main.js
@@ -134,7 +134,10 @@ function mark_read(active, only_not_read) {
 	$.ajax({
 		type: 'POST',
 		url: url,
-		data : { ajax: true }
+		data : {
+			ajax: true,
+			_csrf: context.csrf,
+		},
 	}).done(function (data) {
 		var $r = active.find("a.read").attr("href", data.url),
 			inc = 0;
@@ -178,7 +181,10 @@ function mark_favorite(active) {
 	$.ajax({
 		type: 'POST',
 		url: url,
-		data : { ajax: true }
+		data : {
+			ajax: true,
+			_csrf: context.csrf,
+		},
 	}).done(function (data) {
 		var $b = active.find("a.bookmark").attr("href", data.url),
 			inc = 0;
@@ -775,6 +781,9 @@ function updateFeed(feeds, feeds_count) {
 	$.ajax({
 		type: 'POST',
 		url: feed.url,
+		data : {
+			_csrf: context.csrf,
+		},
 	}).always(function (data) {
 		feed_processed++;
 		$("#actualizeProgress .progress").html(feed_processed + " / " + feeds_count);
-- 
cgit v1.2.3