fix: Referrer-Policy no-referrer caused Origin: null on login

This commit is contained in:
portakal 2026-06-16 14:56:33 +03:00
commit ca52b2115b

View file

@ -80,7 +80,10 @@ async function main() {
res.setHeader('X-Content-Type-Options', 'nosniff'); res.setHeader('X-Content-Type-Options', 'nosniff');
// Clickjacking protection for the form-driven UI (login, upload, delete...). // Clickjacking protection for the form-driven UI (login, upload, delete...).
res.setHeader('X-Frame-Options', 'DENY'); res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('Referrer-Policy', 'no-referrer'); // NOTE: 'no-referrer' makes Chromium send `Origin: null` on form-POST navigations,
// which then trips our checkOrigin CSRF guard. 'same-origin' keeps the referrer
// hidden from external sites while preserving the Origin header for our own POSTs.
res.setHeader('Referrer-Policy', 'same-origin');
// No inline scripts (handlers live in /static/app.js); inline styles allowed for // No inline scripts (handlers live in /static/app.js); inline styles allowed for
// the small dynamic bits (disk meter width). Blocks framing and foreign resources. // the small dynamic bits (disk meter width). Blocks framing and foreign resources.
res.setHeader( res.setHeader(