upstream/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-03-25 17:33:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
forgejo/templates/base/head.tmpl
Gusted 2a8881c4ca
Some checks are pending
/ release (push) Waiting to run
Details
testing-integration / test-unit (push) Waiting to run
Details
testing-integration / test-sqlite (push) Waiting to run
Details
testing-integration / test-mariadb (v10.6) (push) Waiting to run
Details
testing-integration / test-mariadb (v11.8) (push) Waiting to run
Details
testing / backend-checks (push) Waiting to run
Details
testing / frontend-checks (push) Waiting to run
Details
testing / test-unit (push) Blocked by required conditions
Details
testing / test-e2e (push) Blocked by required conditions
Details
testing / test-remote-cacher (redis) (push) Blocked by required conditions
Details
testing / test-remote-cacher (valkey) (push) Blocked by required conditions
Details
testing / test-remote-cacher (garnet) (push) Blocked by required conditions
Details
testing / test-remote-cacher (redict) (push) Blocked by required conditions
Details
testing / test-mysql (push) Blocked by required conditions
Details
testing / test-pgsql (push) Blocked by required conditions
Details
testing / test-sqlite (push) Blocked by required conditions
Details
testing / security-check (push) Blocked by required conditions
Details
fix: use strict-origin as referrer policy (#10851) 
- Resolves forgejo/forgejo#10849
- Yes, the referrer policy is causing cross-origin protection to fail.
Why? Because someone really cared about privacy, the referrer policy was
set to no-referrer. So no `Referrer` HTTP header and `Origin` is either
omited or set to `null`, because hey the browser isn't allowed to leak
it via that header either. The new cross-origin protection relies on
Sec-Fetch metadata to determine if the request is same-origin or not.
This metadata is only sent to trustworthy origins, and thus not when
you visit Forgejo on your intranet. But the new protection has a
fallback to compare the Origin to the Host header... but the Origin
header was conviently set to `null` to protect the user's privacy.
- We now set the referrer policy to strict-origin, which means only for
same-origin requests a Origin header is set. For cross-origin the
behavior is unchanged and the user's privacy is preserved.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10851
Reviewed-by: Beowulf <beowulf@beocode.eu>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
2026-01-16 00:03:07 +01:00

47 lines
2.1 KiB
Go HTML Template
Raw Permalink Blame History

<!DOCTYPE html>
<html lang="{{ctx.Locale.Lang}}" data-theme="{{ThemeName .SignedUser}}">
<head>
<meta name="viewport" content="width=device-width, initial-scale=1">
{{/* Display `- .Repository.FullName` only if `.Title` does not already start with that. */}}
<title>{{if .Title}}{{.Title}} - {{end}}{{if and (.Repository.Name) (not (StringUtils.HasPrefix .Title .Repository.FullName))}}{{.Repository.FullName}} - {{end}}{{AppDisplayName}}</title>
<link rel="manifest" href="/manifest.json">
<meta name="author" content="{{if .Repository}}{{.Owner.Name}}{{else}}{{MetaAuthor}}{{end}}">
<meta name="description" content="{{if .Repository}}{{.Repository.Name}}{{if .Repository.Description}} - {{.Repository.Description}}{{end}}{{else}}{{MetaDescription}}{{end}}">
<meta name="keywords" content="{{MetaKeywords}}">
<meta name="referrer" content="strict-origin">
{{if .GoGetImport}}
<meta name="go-import" content="{{.GoGetImport}} git {{.RepoCloneLink.HTTPS}}">
<meta name="go-source" content="{{.GoGetImport}} _ {{.GoDocDirectory}} {{.GoDocFile}}">
{{end}}
{{if and .EnableFeed .FeedURL}}
<link rel="alternate" type="application/atom+xml" title="" href="{{.FeedURL}}.atom">
<link rel="alternate" type="application/rss+xml" title="" href="{{.FeedURL}}.rss">
{{end}}
<link rel="icon" href="{{AssetUrlPrefix}}/img/favicon.svg" type="image/svg+xml">
<link rel="alternate icon" href="{{AssetUrlPrefix}}/img/favicon.png" type="image/png">
{{template "base/head_script" .}}
{{template "shared/user/mention_highlight" .}}
{{template "base/head_opengraph" .}}
{{template "base/head_style" .}}
{{template "custom/header" .}}
</head>
<body class="no-js" hx-swap="outerHTML" hx-ext="morph" hx-push-url="false">
{{template "custom/body_outer_pre" .}}
<div class="full height">
<noscript>
<div class="tw-ml-2 tw-mr-2 tw-text-center tw-text-text-light-2">{{ctx.Locale.Tr "enable_javascript"}}</div>
</noscript>
{{template "custom/body_inner_pre" .}}
{{if not .PageIsInstall}}
{{template "base/head_navbar" .}}
{{end}}
{{if false}}
{{/* to make html structure "likely" complete to prevent IDE warnings */}}
</div>
</body>
</html>
{{end}}
Reference in a new issue View git blame Copy permalink