Replace CSRF cookie with CrossOriginProtection (#36183)

Removes the CSRF cookie in favor of [`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection) which relies purely on HTTP headers. Fixes: https://github.com/go-gitea/gitea/issues/11188 Fixes: https://github.com/go-gitea/gitea/issues/30333 Helps: https://github.com/go-gitea/gitea/issues/35107 TODOs: - [x] Fix tests - [ ] Ideally add tests to validates the protection --------- Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-12-25 11:33:34 +01:00
parent eddf875992
commit 42d294941c
207 changed files with 178 additions and 1196 deletions
@@ -5,7 +5,6 @@
 	<p>{{ctx.Locale.Tr "settings.oauth2_application_create_description"}}</p>
 </div>
 <div class="ui attached segment form ignore-dirty">
-	{{.CsrfTokenHtml}}
 	<div class="field">
 		<label for="client-id">{{ctx.Locale.Tr "settings.oauth2_client_id"}}</label>
 		<input id="client-id" readonly value="{{.App.ClientID}}">
@@ -24,7 +23,6 @@
 	<div class="item">
 		<!-- TODO add regenerate secret functionality */ -->
 		<form class="ui form ignore-dirty" action="{{.FormActionPath}}/regenerate_secret" method="post">
-			{{.CsrfTokenHtml}}
 			{{ctx.Locale.Tr "settings.oauth2_regenerate_secret_hint"}}
 			<button class="ui mini button tw-ml-2" type="submit">{{ctx.Locale.Tr "settings.oauth2_regenerate_secret"}}</button>
 		</form>
@@ -32,7 +30,6 @@
 </div>
 <div class="ui bottom attached segment">
 	<form class="ui form ignore-dirty" action="{{.FormActionPath}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="field {{if .Err_AppName}}error{{end}}">
 			<label for="application-name">{{ctx.Locale.Tr "settings.oauth2_application_name"}}</label>
 			<input id="application-name" value="{{.App.Name}}" name="application_name" required maxlength="255">