gramps 5986c4ad86 fix: close two CSRF origin-check security gaps ...

- Extend origin check to all /api/ requests (not just state-changing methods),
  closing the GET/HEAD/OPTIONS bypass that allowed cross-origin reads
- origin_allowed() now returns False when both Origin and Referer headers
  are absent, preventing script-initiated requests from bypassing the check
- Update AGENTS.md and README.md to document the changes

2026-06-27 15:20:02 -07:00

2.7 KiB

Raw Blame History

View Raw