forked from mirrors/forgejo
cd00d61b91
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/10851 - Resolves forgejo/forgejo#10849 - Yes, the referrer policy is causing cross-origin protection to fail. Why? Because someone really cared about privacy, the referrer policy was set to no-referrer. So no `Referrer` HTTP header and `Origin` is either omited or set to `null`, because hey the browser isn't allowed to leak it via that header either. The new cross-origin protection relies on Sec-Fetch metadata to determine if the request is same-origin or not. This metadata is only sent to trustworthy origins, and thus not when you visit Forgejo on your intranet. But the new protection has a fallback to compare the Origin to the Host header... but the Origin header was conviently set to `null` to protect the user's privacy. - We now set the referrer policy to strict-origin, which means only for same-origin requests a Origin header is set. For cross-origin the behavior is unchanged and the user's privacy is preserved. Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10858 Reviewed-by: Beowulf <beowulf@beocode.eu> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> |
||
|---|---|---|
| .. | ||
| admin | ||
| api/packages/pypi | ||
| base | ||
| custom | ||
| devtest | ||
| explore | ||
| htmx | ||
| moderation | ||
| org | ||
| package | ||
| projects | ||
| repo | ||
| shared | ||
| status | ||
| swagger | ||
| user | ||
| webhook | ||
| home.tmpl | ||
| home_forgejo.tmpl | ||
| install.tmpl | ||
| post-install.tmpl | ||