ajet/gitea
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Replace CSRF cookie with CrossOriginProtection (#36183)

Browse Source 
Removes the CSRF cookie in favor of
[`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection)
which relies purely on HTTP headers.

Fixes: https://github.com/go-gitea/gitea/issues/11188
Fixes: https://github.com/go-gitea/gitea/issues/30333
Helps: https://github.com/go-gitea/gitea/issues/35107

TODOs:

- [x] Fix tests
- [ ] Ideally add tests to validates the protection

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
silverwind
2025-12-25 11:33:34 +01:00
committed by GitHub
parent eddf875992
commit 42d294941c
207 changed files with 178 additions and 1196 deletions
Download Patch File Download Diff File Expand all files Collapse all files
templates/user/settings/security/openid.tmpl
-2
View File
@@ -16,7 +16,6 @@
</div>
<div class="flex-item-trailing">
<form action="{{AppSubUrl}}/user/settings/security/openid/toggle_visibility" method="post">
{{$.CsrfTokenHtml}}
<input name="id" type="hidden" value="{{.ID}}">
{{if .Show}}
<button class="ui tiny button">
@@ -40,7 +39,6 @@
</div>
<div class="ui bottom attached segment">
<form class="ui form" action="{{AppSubUrl}}/user/settings/security/openid" method="post">
{{.CsrfTokenHtml}}
<div class="required field {{if .Err_OpenID}}error{{end}}">
<label for="openid">{{ctx.Locale.Tr "settings.add_new_openid"}}</label>
<input id="openid" name="openid" type="text" required>
templates/user/settings/security/twofa.tmpl
-2
View File
@@ -6,12 +6,10 @@
{{if .TOTPEnrolled}}
<p>{{ctx.Locale.Tr "settings.twofa_is_enrolled"}}</p>
<form class="ui form" action="{{AppSubUrl}}/user/settings/security/two_factor/regenerate_scratch" method="post" enctype="multipart/form-data">
{{.CsrfTokenHtml}}
<p>{{ctx.Locale.Tr "settings.regenerate_scratch_token_desc"}}</p>
<button class="ui primary button">{{ctx.Locale.Tr "settings.twofa_scratch_token_regenerate"}}</button>
</form>
<form class="ui form" action="{{AppSubUrl}}/user/settings/security/two_factor/disable" method="post" enctype="multipart/form-data" id="disable-form">
{{.CsrfTokenHtml}}
<p>{{ctx.Locale.Tr "settings.twofa_disable_note"}}</p>
<button class="ui red button delete-button" data-modal-id="disable-twofa" data-type="form" data-form="#disable-form">{{ctx.Locale.Tr "settings.twofa_disable"}}</button>
</form>
templates/user/settings/security/twofa_enroll.tmpl
-1
View File
@@ -9,7 +9,6 @@
<p>{{ctx.Locale.Tr "settings.or_enter_secret" .TwofaSecret}}</p>
<p>{{ctx.Locale.Tr "settings.then_enter_passcode"}}</p>
<form class="ui form" action="{{.Link}}" method="post">
{{.CsrfTokenHtml}}
<div class="inline required field {{if .Err_Passcode}}error{{end}}">
<label for="passcode">{{ctx.Locale.Tr "passcode"}}</label>
<input id="passcode" name="passcode" autofocus required>