Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v diff -u -r1.126.2.68 -r1.126.2.69 --- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 26 Jun 2022 19:37:55 -0000 1.126.2.68 +++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 23 Aug 2022 18:44:55 -0000 1.126.2.69 @@ -2997,6 +2997,7 @@ # security::csp::require default-src 'self' security::csp::require script-src 'self' + security::csp::require script-src 'strict-dynamic' security::csp::require style-src 'self' security::csp::require img-src 'self' security::csp::require font-src 'self' @@ -3129,12 +3130,15 @@ Request Forgery). The token is set (and cached) in a global per-thread variable and can be included in forms e.g. via the following command. - - - +

+ 

+        <if @::__csrf_token@ defined>
+            <input type="hidden" name="__csrf_token" value="@::__csrf_token;literal@">
+        </if>
+

The token is automatically cleared together with other global variables at the end of the processing of every request. - +

The optional argument user_id is currently ignored, but it is there, since there are algorithms published to calculate the CSRF token based on a user_id. So far, i found no evidence