Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -r1.126.2.68 -r1.126.2.69
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 26 Jun 2022 19:37:55 -0000 1.126.2.68
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 23 Aug 2022 18:44:55 -0000 1.126.2.69
@@ -2997,6 +2997,7 @@
#
security::csp::require default-src 'self'
security::csp::require script-src 'self'
+ security::csp::require script-src 'strict-dynamic'
security::csp::require style-src 'self'
security::csp::require img-src 'self'
security::csp::require font-src 'self'
@@ -3129,12 +3130,15 @@
Request Forgery). The token is set (and cached) in a global
per-thread variable and can be included in forms e.g. via the
following command.
-
-
+
+ <if @::__csrf_token@ defined> + <input type="hidden" name="__csrf_token" value="@::__csrf_token;literal@"> + </if> +
The token is automatically cleared together with other global variables at the end of the processing of every request. - +
The optional argument user_id is currently ignored, but it is there, since there are algorithms published to calculate the CSRF token based on a user_id. So far, i found no evidence