mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-16 15:56:34 +00:00
cd00d61b91
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/10851 - Resolves forgejo/forgejo#10849 - Yes, the referrer policy is causing cross-origin protection to fail. Why? Because someone really cared about privacy, the referrer policy was set to no-referrer. So no `Referrer` HTTP header and `Origin` is either omited or set to `null`, because hey the browser isn't allowed to leak it via that header either. The new cross-origin protection relies on Sec-Fetch metadata to determine if the request is same-origin or not. This metadata is only sent to trustworthy origins, and thus not when you visit Forgejo on your intranet. But the new protection has a fallback to compare the Origin to the Host header... but the Origin header was conviently set to `null` to protect the user's privacy. - We now set the referrer policy to strict-origin, which means only for same-origin requests a Origin header is set. For cross-origin the behavior is unchanged and the user's privacy is preserved. Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10858 Reviewed-by: Beowulf <beowulf@beocode.eu> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> |
||
|---|---|---|
| .. | ||
| alert.tmpl | ||
| alert_details.tmpl | ||
| disable_form_autofill.tmpl | ||
| footer.tmpl | ||
| footer_content.tmpl | ||
| head.tmpl | ||
| head_navbar.tmpl | ||
| head_opengraph.tmpl | ||
| head_script.tmpl | ||
| head_style.tmpl | ||
| modal_actions_confirm.tmpl | ||
| paginate.tmpl | ||