Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

meta referrer origin #1198

Merged
merged 1 commit into from
Aug 7, 2016
Merged

meta referrer origin #1198

merged 1 commit into from
Aug 7, 2016

Conversation

Alkarex
Copy link
Member

@Alkarex Alkarex commented Aug 7, 2016

#955
Tested in Firefox 48, Chrome 53, Edge 25

@Alkarex
meta referrer origin
dccc2a8 
FreshRSS#955
Tested in Firefox 48, Chrome 53, Edge 25
@Alkarex Alkarex added this to the 1.5.1-beta milestone Aug 7, 2016
@Alkarex Alkarex merged commit 1f7c081 into FreshRSS:dev Aug 7, 2016
@Alkarex Alkarex deleted the CSP-referrer branch August 7, 2016 11:54
@Alkarex Alkarex mentioned this pull request Aug 7, 2016
Closed
Alkarex added a commit to Alkarex/FreshRSS that referenced this pull request Aug 13, 2016
@Alkarex
CSRF token, update HTTP Referrer policy to same-origin
e6fd34b 
https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer
FreshRSS#570
FreshRSS#955
FreshRSS#1198
FreshRSS#565
FreshRSS#554
@Alkarex Alkarex mentioned this pull request Aug 13, 2016
Merged
Alkarex added a commit to Alkarex/FreshRSS that referenced this pull request Aug 13, 2016
@Alkarex
README: Add CSRF tokens
b3963f6 
FreshRSS#570
FreshRSS#955
FreshRSS#1198
@Frenzie
Copy link
Member

Frenzie commented Sep 19, 2016

I think this may have broken the ability to update stuff in extensions, unless something went wrong for me while upgrading to 1.5.

Error 403 - Forbidden

You don’t have permission to access this page [HTTP_REFERER=]
← Go back to your RSS feeds

@Frenzie
Copy link
Member

Frenzie commented Sep 19, 2016

Specifically it's this codepath that gets executed:

FreshRSS/app/FreshRSS.php

Lines 58 to 73 in 17c8c03

private static function initAuth() {
FreshRSS_Auth::init();
if (Minz_Request::isPost() && !(is_referer_from_same_domain() && FreshRSS_Auth::isCsrfOk())) {
// Basic protection against XSRF attacks
FreshRSS_Auth::removeAccess();
$http_referer = empty($_SERVER['HTTP_REFERER']) ? '' : $_SERVER['HTTP_REFERER'];
Minz_Translate::init('en'); //TODO: Better choice of fallback language
Minz_Error::error(
403,
array('error' => array(
_t('feedback.access.denied'),
' [HTTP_REFERER=' . htmlspecialchars($http_referer) . ']'
))
);
}
}

@Alkarex
Copy link
Member Author

Alkarex commented Sep 19, 2016

Yes indeed. Related issue #1253
I believe the CSRF token is missing for the extensions.

@Alkarex Alkarex mentioned this pull request Sep 19, 2016
Closed
javerous pushed a commit to javerous/FreshRSS that referenced this pull request Jan 20, 2020
@Alkarex
Merge pull request FreshRSS#1198 from Alkarex/CSP-referrer
6852ebd 
meta referrer origin
javerous pushed a commit to javerous/FreshRSS that referenced this pull request Jan 20, 2020
@Alkarex
CSRF token, update HTTP Referrer policy to same-origin
24f0530 
https://www.w3.org/TR/referrer-policy/#referrer-policy-no-referrer
FreshRSS#570
FreshRSS#955
FreshRSS#1198
FreshRSS#565
FreshRSS#554
javerous pushed a commit to javerous/FreshRSS that referenced this pull request Jan 20, 2020
@Alkarex
README: Add CSRF tokens
7c7eb1f 
FreshRSS#570
FreshRSS#955
FreshRSS#1198
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Security 🛡️
Projects
None yet
Milestone
1.5.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Alkarex @Frenzie