Tree: 207c19e3df

master

v0.1

v0.2

v0.3

v0.4

v0.4.1

v0.5

v0.5.1

v0.5.2

v0.6

v0.6.1

v0.6.2

v0.6.3

v0.7

v0.7.2

v0.7.3

v0.7.3.2

v0.7.4

v0.8

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.9

v0.9.1

v0.9.2

v1.0

v1.0.1

v1.0.2

v1.0.3

v1.1

v1.1.1

v1.1.10

v1.1.11

v1.1.12

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.3

v1.3.1

v1.3.2

v1.3.3

v2.0

v2.1

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

Branches Tags

${ item.name }

Create tag ${ searchTerm }

Create branch ${ searchTerm }

from '207c19e3df'

${ noResults }

Commit Graph

9 Commits (207c19e3df34837489cee90ba4e2fa97f150f4a1)

Author	SHA1	Message	Date
andreimarcu	9847beeff5	Cleanup	9 years ago
andreimarcu	3c659601e2	Make it an option for post uploads	9 years ago
andreimarcu	9b724725b3	Blank referrers are allowed	9 years ago
mutantmonkey	d138755806	do a proper same-origin check String prefix matching is hacky and provides insufficient checking if it does not end with a /.	9 years ago
mutantmonkey	a3723d3665	short-circuit on origin header If the Origin header is present, we can check it and skip the other checks.	9 years ago
mutantmonkey	a7ae455ac1	strict referrer check improvements * Always check Origin if it is present, regardless of headers sent * Whitelist X-Requested-With header	9 years ago
mutantmonkey	cd83f9f0eb	fix CSP referrer policy The policy of "referrer none" was incorrect and was nonfunctional. With this change, the CSP referrer policy is set to origin, which will causes only the origin to be sent for requests made from the main site. A fix was also needed for referrer checks in two places.	9 years ago
mutantmonkey	39d874374d	trim trailing / for origin checking	9 years ago
mutantmonkey	6ff181facb	add strict referrer check for POST uploads This should protect against cross-site request forgery without the need for cookies. It continues to allow requests with Linx-Delete-Key, Linx-Expiry, or Linx-Randomize headers as these will not be set in the case of cross-site requests.	9 years ago