Replace CSRF cookie with CrossOriginProtection (#36183)

Removes the CSRF cookie in favor of
[`CrossOriginProtection`](https://pkg.go.dev/net/http#CrossOriginProtection)
which relies purely on HTTP headers.

Fixes: https://github.com/go-gitea/gitea/issues/11188
Fixes: https://github.com/go-gitea/gitea/issues/30333
Helps: https://github.com/go-gitea/gitea/issues/35107

TODOs:

- [x] Fix tests
- [ ] Ideally add tests to validates the protection

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

custom/conf/app.example.ini

@@ -503,9 +503,6 @@ INTERNAL_TOKEN =
 ;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"
 ;PASSWORD_HASH_ALGO = pbkdf2
 ;;
-;; Set false to allow JavaScript to read CSRF cookie
-;CSRF_COOKIE_HTTP_ONLY = true
-;;
 ;; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed
 ;PASSWORD_CHECK_PWN = false
 ;;

modules/setting/markup.go

@@ -255,7 +255,7 @@ func newMarkupRenderer(name string, sec ConfigSection) {
 	}
 
 	// ATTENTION! at the moment, only a safe set like "allow-scripts" are allowed for sandbox mode.
-	// "allow-same-origin" should never be used, it leads to XSS attack, and it makes the JS in iframe can access parent window's config and CSRF token
+	// "allow-same-origin" should NEVER be used, it leads to XSS attack: makes the JS in iframe can access parent window's config and send requests with user's credentials.
 	renderContentSandbox := sec.Key("RENDER_CONTENT_SANDBOX").MustString("allow-scripts allow-popups")
 	if renderContentSandbox == "disabled" {
 		renderContentSandbox = ""

modules/setting/oauth2.go

@@ -133,7 +133,7 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 
 	// FIXME: at the moment, no matter oauth2 is enabled or not, it must generate a "oauth2 JWT_SECRET"
 	// Because this secret is also used as GeneralTokenSigningSecret (as a quick not-that-breaking fix for some legacy problems).
-	// Including: CSRF token, account validation token, etc ...
+	// Including: account validation token, etc ...
 	// In main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...)
 	jwtSecretBase64 := loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET")
 	if InstallLock {

modules/setting/security.go

@@ -36,8 +36,6 @@ var (
 	PasswordCheckPwn                   bool
 	SuccessfulTokensCacheSize          int
 	DisableQueryAuthToken              bool
-	CSRFCookieName                     = "_csrf"
-	CSRFCookieHTTPOnly                 = true
 	RecordUserSignupMetadata           = false
 	TwoFactorAuthEnforced              = false
 )
@@ -139,7 +137,6 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 		log.Fatal("The provided password hash algorithm was invalid: %s", sec.Key("PASSWORD_HASH_ALGO").MustString(""))
 	}
 
-	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
 	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
 	SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
 

routers/common/auth.go

@@ -38,8 +38,8 @@ func AuthShared(ctx *context.Base, sessionStore auth_service.SessionStore, authM
 
 // VerifyOptions contains required or check options
 type VerifyOptions struct {
-	SignInRequired  bool
-	SignOutRequired bool
-	AdminRequired   bool
-	DisableCSRF     bool
+	SignInRequired               bool
+	SignOutRequired              bool
+	AdminRequired                bool
+	DisableCrossOriginProtection bool
 }

routers/web/auth/auth.go

@@ -102,7 +102,6 @@ func autoSignIn(ctx *context.Context) (bool, error) {
 		return false, err
 	}
 
-	ctx.Csrf.PrepareForSessionUser(ctx)
 	return true, nil
 }
 
@@ -357,9 +356,6 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRe
 		ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
 	}
 
-	// force to generate a new CSRF token
-	ctx.Csrf.PrepareForSessionUser(ctx)
-
 	// Register last login
 	if err := user_service.UpdateUser(ctx, u, &user_service.UpdateOptions{SetLastLogin: true}); err != nil {
 		ctx.ServerError("UpdateUser", err)
@@ -403,7 +399,6 @@ func HandleSignOut(ctx *context.Context) {
 	_ = ctx.Session.Flush()
 	_ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
 	ctx.DeleteSiteCookie(setting.CookieRememberName)
-	ctx.Csrf.DeleteCookie(ctx)
 	middleware.DeleteRedirectToCookie(ctx.Resp)
 }
 
@@ -811,8 +806,6 @@ func handleAccountActivation(ctx *context.Context, user *user_model.User) {
 		return
 	}
 
-	ctx.Csrf.PrepareForSessionUser(ctx)
-
 	if err := resetLocale(ctx, user); err != nil {
 		ctx.ServerError("resetLocale", err)
 		return

routers/web/auth/oauth.go

@@ -393,9 +393,6 @@ func handleOAuth2SignIn(ctx *context.Context, authSource *auth.Source, u *user_m
 			return
 		}
 
-		// force to generate a new CSRF token
-		ctx.Csrf.PrepareForSessionUser(ctx)
-
 		if err := resetLocale(ctx, u); err != nil {
 			ctx.ServerError("resetLocale", err)
 			return

routers/web/githttp.go

@@ -22,5 +22,5 @@ func addOwnerRepoGitHTTPRouters(m *web.Router) {
 		m.Methods("GET,OPTIONS", "/objects/{head:[0-9a-f]{2}}/{hash:[0-9a-f]{38,62}}", repo.GetLooseObject)
 		m.Methods("GET,OPTIONS", "/objects/pack/pack-{file:[0-9a-f]{40,64}}.pack", repo.GetPackFile)
 		m.Methods("GET,OPTIONS", "/objects/pack/pack-{file:[0-9a-f]{40,64}}.idx", repo.GetIdxFile)
-	}, optSignInIgnoreCsrf, repo.HTTPGitEnabledHandler, repo.CorsHandler(), context.UserAssignmentWeb())
+	}, repo.HTTPGitEnabledHandler, repo.CorsHandler(), optSignInFromAnyOrigin, context.UserAssignmentWeb())
 }

routers/web/user/setting/keys.go

@@ -325,7 +325,7 @@ func loadKeysData(ctx *context.Context) {
 	ctx.Data["GPGKeys"] = gpgkeys
 	tokenToSign := asymkey_model.VerificationToken(ctx.Doer, 1)
 
-	// generate a new aes cipher using the csrfToken
+	// generate a new aes cipher using the token
 	ctx.Data["TokenToSign"] = tokenToSign
 
 	principals, err := db.Find[asymkey_model.PublicKey](ctx, asymkey_model.FindPublicKeyOptions{

routers/web/web.go

@@ -129,13 +129,13 @@ func webAuth(authMethod auth_service.Method) func(*context.Context) {
 			// ensure the session uid is deleted
 			_ = ctx.Session.Delete("uid")
 		}
-
-		ctx.Csrf.PrepareForSessionUser(ctx)
 	}
 }
 
 // verifyAuthWithOptions checks authentication according to options
 func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Context) {
+	crossOriginProtection := http.NewCrossOriginProtection()
+
 	return func(ctx *context.Context) {
 		// Check prohibit login users.
 		if ctx.IsSigned {
@@ -178,9 +178,9 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.Cont
 			return
 		}
 
-		if !options.SignOutRequired && !options.DisableCSRF && ctx.Req.Method == http.MethodPost {
-			ctx.Csrf.Validate(ctx)
-			if ctx.Written() {
+		if !options.SignOutRequired && !options.DisableCrossOriginProtection {
+			if err := crossOriginProtection.Check(ctx.Req); err != nil {
+				http.Error(ctx.Resp, err.Error(), http.StatusForbidden)
 				return
 			}
 		}
@@ -292,7 +292,12 @@ func Routes() *web.Router {
 	return routes
 }
 
-var optSignInIgnoreCsrf = verifyAuthWithOptions(&common.VerifyOptions{DisableCSRF: true})
+// optSignInFromAnyOrigin means that the user can (optionally) be signed in from any origin (no cross-origin protection)
+//   - With CORS middleware: CORS middleware does the preflight request handling, the requests has Sec-Fetch-Site header.
+//     The CORS mechanism already protects cross-origin requests, and the CrossOriginProtection has no "allowed origin" list, so disable CrossOriginProtection.
+//   - For non-browser client requests: git clone via http, no Sec-Fetch-Site header.
+//     Such requests are not cross-origin requests, so disable CrossOriginProtection.
+var optSignInFromAnyOrigin = verifyAuthWithOptions(&common.VerifyOptions{DisableCrossOriginProtection: true})
 
 // registerWebRoutes register routes
 func registerWebRoutes(m *web.Router) {
@@ -489,7 +494,7 @@ func registerWebRoutes(m *web.Router) {
 	m.Post("/-/markup", reqSignIn, web.Bind(structs.MarkupOption{}), misc.Markup)
 
 	m.Get("/-/web-theme/list", misc.WebThemeList)
-	m.Post("/-/web-theme/apply", optSignInIgnoreCsrf, misc.WebThemeApply)
+	m.Post("/-/web-theme/apply", optSignIn, misc.WebThemeApply)
 
 	m.Group("/explore", func() {
 		m.Get("", func(ctx *context.Context) {
@@ -565,12 +570,14 @@ func registerWebRoutes(m *web.Router) {
 			m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
 			// TODO manage redirection
 			m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
-		}, optSignInIgnoreCsrf, reqSignIn)
+		}, reqSignIn)
 
-		m.Methods("GET, POST, OPTIONS", "/userinfo", optionsCorsHandler(), optSignInIgnoreCsrf, auth.InfoOAuth)
-		m.Methods("POST, OPTIONS", "/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), optSignInIgnoreCsrf, auth.AccessTokenOAuth)
-		m.Methods("GET, OPTIONS", "/keys", optionsCorsHandler(), optSignInIgnoreCsrf, auth.OIDCKeys)
-		m.Methods("POST, OPTIONS", "/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), optSignInIgnoreCsrf, auth.IntrospectOAuth)
+		m.Group("", func() {
+			m.Methods("GET, POST, OPTIONS", "/userinfo", auth.InfoOAuth)
+			m.Methods("POST, OPTIONS", "/access_token", web.Bind(forms.AccessTokenForm{}), auth.AccessTokenOAuth)
+			m.Methods("GET, OPTIONS", "/keys", auth.OIDCKeys)
+			m.Methods("POST, OPTIONS", "/introspect", web.Bind(forms.IntrospectTokenForm{}), auth.IntrospectOAuth)
+		}, optionsCorsHandler(), optSignInFromAnyOrigin)
 	}, oauth2Enabled)
 
 	m.Group("/user/settings", func() {
@@ -1653,7 +1660,7 @@ func registerWebRoutes(m *web.Router) {
 		m.Post("/action/{action:accept_transfer|reject_transfer}", reqSignIn, repo.ActionTransfer)
 	}, optSignIn, context.RepoAssignment)
 
-	common.AddOwnerRepoGitLFSRoutes(m, optSignInIgnoreCsrf, lfsServerEnabled) // "/{username}/{reponame}/{lfs-paths}": git-lfs support
+	common.AddOwnerRepoGitLFSRoutes(m, lfsServerEnabled, repo.CorsHandler(), optSignInFromAnyOrigin) // "/{username}/{reponame}/{lfs-paths}": git-lfs support, see also addOwnerRepoGitHTTPRouters
 
 	addOwnerRepoGitHTTPRouters(m) // "/{username}/{reponame}/{git-paths}": git http support
 

services/auth/auth.go

@@ -19,7 +19,6 @@ import (
 	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
-	gitea_context "code.gitea.io/gitea/services/context"
 	user_service "code.gitea.io/gitea/services/user"
 )
 
@@ -162,9 +161,4 @@ func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore
 	}
 
 	middleware.SetLocaleCookie(resp, user.Language, 0)
-
-	// force to generate a new CSRF token
-	if ctx := gitea_context.GetWebContext(req.Context()); ctx != nil {
-		ctx.Csrf.PrepareForSessionUser(ctx)
-	}
 }

services/context/api.go

@@ -227,7 +227,7 @@ func APIContexter() func(http.Handler) http.Handler {
 
 			ctx.SetContextValue(apiContextKey, ctx)
 
-			// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
+			// FIXME: GLOBAL-PARSE-FORM: see more details in another FIXME comment
 			if ctx.Req.Method == http.MethodPost && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
 				if !ctx.ParseMultipartForm() {
 					return

services/context/context.go

@@ -6,14 +6,12 @@ package context
 
 import (
 	"context"
-	"encoding/hex"
 	"fmt"
 	"html/template"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
-	"time"
 
 	"code.gitea.io/gitea/models/unit"
 	user_model "code.gitea.io/gitea/models/user"
@@ -48,7 +46,6 @@ type Context struct {
 	PageData map[string]any // data used by JavaScript modules in one page, it's `window.config.pageData`
 
 	Cache   cache.StringCache
-	Csrf    CSRFProtector
 	Flash   *middleware.Flash
 	Session session.Store
 
@@ -143,18 +140,6 @@ func NewWebContext(base *Base, render Render, session session.Store) *Context {
 // Contexter initializes a classic context for a request.
 func Contexter() func(next http.Handler) http.Handler {
 	rnd := templates.HTMLRenderer()
-	csrfOpts := CsrfOptions{
-		Secret:         hex.EncodeToString(setting.GetGeneralTokenSigningSecret()),
-		Cookie:         setting.CSRFCookieName,
-		Secure:         setting.SessionConfig.Secure,
-		CookieHTTPOnly: setting.CSRFCookieHTTPOnly,
-		CookieDomain:   setting.SessionConfig.Domain,
-		CookiePath:     setting.SessionConfig.CookiePath,
-		SameSite:       setting.SessionConfig.SameSite,
-	}
-	if !setting.IsProd {
-		CsrfTokenRegenerationInterval = 5 * time.Second // in dev, re-generate the tokens more aggressively for debug purpose
-	}
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 			base := NewBaseContext(resp, req)
@@ -167,8 +152,6 @@ func Contexter() func(next http.Handler) http.Handler {
 			ctx.PageData = map[string]any{}
 			ctx.Data["PageData"] = ctx.PageData
 
-			ctx.Csrf = NewCSRFProtector(csrfOpts)
-
 			// get the last flash message from cookie
 			lastFlashCookie, lastFlashMsg := middleware.GetSiteCookieFlashMessage(ctx, ctx.Req, CookieNameFlash)
 			if vals, _ := url.ParseQuery(lastFlashCookie); len(vals) > 0 {
@@ -184,7 +167,10 @@ func Contexter() func(next http.Handler) http.Handler {
 				}
 			})
 
-			// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
+			// FIXME: GLOBAL-PARSE-FORM: this ParseMultipartForm was used for parsing the csrf token from multipart/form-data
+			// We have dropped the csrf token, so ideally this global ParseMultipartForm should be removed.
+			// When removing this, we need to avoid regressions in the handler functions because Golang's http framework is quite fragile
+			// and developers sometimes need to manually parse the form before accessing some values.
 			if ctx.Req.Method == http.MethodPost && strings.Contains(ctx.Req.Header.Get("Content-Type"), "multipart/form-data") {
 				if !ctx.ParseMultipartForm() {
 					return

services/context/context_cookie.go

@@ -25,13 +25,11 @@ func removeSessionCookieHeader(w http.ResponseWriter) {
 }
 
 // SetSiteCookie convenience function to set most cookies consistently
-// CSRF and a few others are the exception here
 func (ctx *Context) SetSiteCookie(name, value string, maxAge int) {
 	middleware.SetSiteCookie(ctx.Resp, name, value, maxAge)
 }
 
 // DeleteSiteCookie convenience function to delete most cookies consistently
-// CSRF and a few others are the exception here
 func (ctx *Context) DeleteSiteCookie(name string) {
 	middleware.SetSiteCookie(ctx.Resp, name, "", -1)
 }

services/context/csrf.go

@@ -1,168 +0,0 @@
-// Copyright 2013 Martini Authors
-// Copyright 2014 The Macaron Authors
-// Copyright 2021 The Gitea Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License"): you may
-// not use this file except in compliance with the License. You may obtain
-// a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-// License for the specific language governing permissions and limitations
-// under the License.
-// SPDX-License-Identifier: Apache-2.0
-
-// a middleware that generates and validates CSRF tokens.
-
-package context
-
-import (
-	"html/template"
-	"net/http"
-	"strconv"
-	"time"
-
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/util"
-)
-
-const (
-	CsrfHeaderName = "X-Csrf-Token"
-	CsrfFormName   = "_csrf"
-)
-
-// CSRFProtector represents a CSRF protector and is used to get the current token and validate the token.
-type CSRFProtector interface {
-	// PrepareForSessionUser prepares the csrf protector for the current session user.
-	PrepareForSessionUser(ctx *Context)
-	// Validate validates the csrf token in http context.
-	Validate(ctx *Context)
-	// DeleteCookie deletes the csrf cookie
-	DeleteCookie(ctx *Context)
-}
-
-type csrfProtector struct {
-	opt CsrfOptions
-	// id must be unique per user.
-	id string
-	// token is the valid one which will be used by end user and passed via header, cookie, or hidden form value.
-	token string
-}
-
-// CsrfOptions maintains options to manage behavior of Generate.
-type CsrfOptions struct {
-	// The global secret value used to generate Tokens.
-	Secret string
-	// Cookie value used to set and get token.
-	Cookie string
-	// Cookie domain.
-	CookieDomain string
-	// Cookie path.
-	CookiePath     string
-	CookieHTTPOnly bool
-	// SameSite set the cookie SameSite type
-	SameSite http.SameSite
-	// Set the Secure flag to true on the cookie.
-	Secure bool
-	// sessionKey is the key used for getting the unique ID per user.
-	sessionKey string
-	// oldSessionKey saves old value corresponding to sessionKey.
-	oldSessionKey string
-}
-
-func newCsrfCookie(opt *CsrfOptions, value string) *http.Cookie {
-	return &http.Cookie{
-		Name:     opt.Cookie,
-		Value:    value,
-		Path:     opt.CookiePath,
-		Domain:   opt.CookieDomain,
-		MaxAge:   int(CsrfTokenTimeout.Seconds()),
-		Secure:   opt.Secure,
-		HttpOnly: opt.CookieHTTPOnly,
-		SameSite: opt.SameSite,
-	}
-}
-
-func NewCSRFProtector(opt CsrfOptions) CSRFProtector {
-	if opt.Secret == "" {
-		panic("CSRF secret is empty but it must be set") // it shouldn't happen because it is always set in code
-	}
-	opt.Cookie = util.IfZero(opt.Cookie, "_csrf")
-	opt.CookiePath = util.IfZero(opt.CookiePath, "/")
-	opt.sessionKey = "uid"
-	opt.oldSessionKey = "_old_" + opt.sessionKey
-	return &csrfProtector{opt: opt}
-}
-
-func (c *csrfProtector) PrepareForSessionUser(ctx *Context) {
-	c.id = "0"
-	if uidAny := ctx.Session.Get(c.opt.sessionKey); uidAny != nil {
-		switch uidVal := uidAny.(type) {
-		case string:
-			c.id = uidVal
-		case int64:
-			c.id = strconv.FormatInt(uidVal, 10)
-		default:
-			log.Error("invalid uid type in session: %T", uidAny)
-		}
-	}
-
-	oldUID := ctx.Session.Get(c.opt.oldSessionKey)
-	uidChanged := oldUID == nil || oldUID.(string) != c.id
-	cookieToken := ctx.GetSiteCookie(c.opt.Cookie)
-
-	needsNew := true
-	if uidChanged {
-		_ = ctx.Session.Set(c.opt.oldSessionKey, c.id)
-	} else if cookieToken != "" {
-		// If cookie token present, re-use existing unexpired token, else generate a new one.
-		if issueTime, ok := ParseCsrfToken(cookieToken); ok {
-			dur := time.Since(issueTime) // issueTime is not a monotonic-clock, the server time may change a lot to an early time.
-			if dur >= -CsrfTokenRegenerationInterval && dur <= CsrfTokenRegenerationInterval {
-				c.token = cookieToken
-				needsNew = false
-			}
-		}
-	}
-
-	if needsNew {
-		c.token = GenerateCsrfToken(c.opt.Secret, c.id, "POST", time.Now())
-		ctx.Resp.Header().Add("Set-Cookie", newCsrfCookie(&c.opt, c.token).String())
-	}
-
-	ctx.Data["CsrfToken"] = c.token
-	ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + template.HTMLEscapeString(c.token) + `">`)
-}
-
-func (c *csrfProtector) validateToken(ctx *Context, token string) {
-	if !ValidCsrfToken(token, c.opt.Secret, c.id, "POST", time.Now()) {
-		c.DeleteCookie(ctx)
-		// currently, there should be no access to the APIPath with CSRF token. because templates shouldn't use the `/api/` endpoints.
-		// FIXME: distinguish what the response is for: HTML (web page) or JSON (fetch)
-		http.Error(ctx.Resp, "Invalid CSRF token.", http.StatusBadRequest)
-	}
-}
-
-// Validate should be used as a per route middleware. It attempts to get a token from an "X-Csrf-Token"
-// HTTP header and then a "_csrf" form value. If one of these is found, the token will be validated.
-// If this validation fails, http.StatusBadRequest is sent.
-func (c *csrfProtector) Validate(ctx *Context) {
-	if token := ctx.Req.Header.Get(CsrfHeaderName); token != "" {
-		c.validateToken(ctx, token)
-		return
-	}
-	if token := ctx.Req.FormValue(CsrfFormName); token != "" {
-		c.validateToken(ctx, token)
-		return
-	}
-	c.validateToken(ctx, "") // no csrf token, use an empty token to respond error
-}
-
-func (c *csrfProtector) DeleteCookie(ctx *Context) {
-	cookie := newCsrfCookie(&c.opt, "")
-	cookie.MaxAge = -1
-	ctx.Resp.Header().Add("Set-Cookie", cookie.String())
-}

services/context/xsrf.go

@@ -1,99 +0,0 @@
-// Copyright 2012 Google Inc. All Rights Reserved.
-// Copyright 2014 The Macaron Authors
-// Copyright 2020 The Gitea Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// SPDX-License-Identifier: Apache-2.0
-
-package context
-
-import (
-	"bytes"
-	"crypto/hmac"
-	"crypto/sha1"
-	"crypto/subtle"
-	"encoding/base64"
-	"fmt"
-	"strconv"
-	"strings"
-	"time"
-)
-
-// CsrfTokenTimeout represents the duration that XSRF tokens are valid.
-// It is exported so clients may set cookie timeouts that match generated tokens.
-const CsrfTokenTimeout = 24 * time.Hour
-
-// CsrfTokenRegenerationInterval is the interval between token generations, old tokens are still valid before CsrfTokenTimeout
-var CsrfTokenRegenerationInterval = 10 * time.Minute
-
-var csrfTokenSep = []byte(":")
-
-// GenerateCsrfToken returns a URL-safe secure XSRF token that expires in CsrfTokenTimeout hours.
-// key is a secret key for your application.
-// userID is a unique identifier for the user.
-// actionID is the action the user is taking (e.g. POSTing to a particular path).
-func GenerateCsrfToken(key, userID, actionID string, now time.Time) string {
-	nowUnixNano := now.UnixNano()
-	nowUnixNanoStr := strconv.FormatInt(nowUnixNano, 10)
-	h := hmac.New(sha1.New, []byte(key))
-	h.Write([]byte(strings.ReplaceAll(userID, ":", "_")))
-	h.Write(csrfTokenSep)
-	h.Write([]byte(strings.ReplaceAll(actionID, ":", "_")))
-	h.Write(csrfTokenSep)
-	h.Write([]byte(nowUnixNanoStr))
-	tok := fmt.Sprintf("%s:%s", h.Sum(nil), nowUnixNanoStr)
-	return base64.RawURLEncoding.EncodeToString([]byte(tok))
-}
-
-func ParseCsrfToken(token string) (issueTime time.Time, ok bool) {
-	data, err := base64.RawURLEncoding.DecodeString(token)
-	if err != nil {
-		return time.Time{}, false
-	}
-
-	pos := bytes.LastIndex(data, csrfTokenSep)
-	if pos == -1 {
-		return time.Time{}, false
-	}
-	nanos, err := strconv.ParseInt(string(data[pos+1:]), 10, 64)
-	if err != nil {
-		return time.Time{}, false
-	}
-	return time.Unix(0, nanos), true
-}
-
-// ValidCsrfToken returns true if token is a valid and unexpired token returned by Generate.
-func ValidCsrfToken(token, key, userID, actionID string, now time.Time) bool {
-	issueTime, ok := ParseCsrfToken(token)
-	if !ok {
-		return false
-	}
-
-	// Check that the token is not expired.
-	if now.Sub(issueTime) >= CsrfTokenTimeout {
-		return false
-	}
-
-	// Check that the token is not from the future.
-	// Allow 1-minute grace period in case the token is being verified on a
-	// machine whose clock is behind the machine that issued the token.
-	if issueTime.After(now.Add(1 * time.Minute)) {
-		return false
-	}
-
-	expected := GenerateCsrfToken(key, userID, actionID, issueTime)
-
-	// Check that the token matches the expected value.
-	// Use constant time comparison to avoid timing attacks.
-	return subtle.ConstantTimeCompare([]byte(token), []byte(expected)) == 1
-}

services/context/xsrf_test.go

@@ -1,91 +0,0 @@
-// Copyright 2012 Google Inc. All Rights Reserved.
-// Copyright 2014 The Macaron Authors
-// Copyright 2020 The Gitea Authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-// SPDX-License-Identifier: Apache-2.0
-
-package context
-
-import (
-	"encoding/base64"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-)
-
-const (
-	key      = "quay"
-	userID   = "12345678"
-	actionID = "POST /form"
-)
-
-var (
-	now              = time.Now()
-	oneMinuteFromNow = now.Add(1 * time.Minute)
-)
-
-func Test_ValidToken(t *testing.T) {
-	t.Run("Validate token", func(t *testing.T) {
-		tok := GenerateCsrfToken(key, userID, actionID, now)
-		assert.True(t, ValidCsrfToken(tok, key, userID, actionID, oneMinuteFromNow))
-		assert.True(t, ValidCsrfToken(tok, key, userID, actionID, now.Add(CsrfTokenTimeout-1*time.Nanosecond)))
-		assert.True(t, ValidCsrfToken(tok, key, userID, actionID, now.Add(-1*time.Minute)))
-	})
-}
-
-// Test_SeparatorReplacement tests that separators are being correctly substituted
-func Test_SeparatorReplacement(t *testing.T) {
-	t.Run("Test two separator replacements", func(t *testing.T) {
-		assert.NotEqual(t, GenerateCsrfToken("foo:bar", "baz", "wah", now),
-			GenerateCsrfToken("foo", "bar:baz", "wah", now))
-	})
-}
-
-func Test_InvalidToken(t *testing.T) {
-	t.Run("Test invalid tokens", func(t *testing.T) {
-		invalidTokenTests := []struct {
-			name, key, userID, actionID string
-			t                           time.Time
-		}{
-			{"Bad key", "foobar", userID, actionID, oneMinuteFromNow},
-			{"Bad userID", key, "foobar", actionID, oneMinuteFromNow},
-			{"Bad actionID", key, userID, "foobar", oneMinuteFromNow},
-			{"Expired", key, userID, actionID, now.Add(CsrfTokenTimeout)},
-			{"More than 1 minute from the future", key, userID, actionID, now.Add(-1*time.Nanosecond - 1*time.Minute)},
-		}
-
-		tok := GenerateCsrfToken(key, userID, actionID, now)
-		for _, itt := range invalidTokenTests {
-			assert.False(t, ValidCsrfToken(tok, itt.key, itt.userID, itt.actionID, itt.t))
-		}
-	})
-}
-
-// Test_ValidateBadData primarily tests that no unexpected panics are triggered during parsing
-func Test_ValidateBadData(t *testing.T) {
-	t.Run("Validate bad data", func(t *testing.T) {
-		badDataTests := []struct {
-			name, tok string
-		}{
-			{"Invalid Base64", "ASDab24(@)$*=="},
-			{"No delimiter", base64.URLEncoding.EncodeToString([]byte("foobar12345678"))},
-			{"Invalid time", base64.URLEncoding.EncodeToString([]byte("foobar:foobar"))},
-		}
-
-		for _, bdt := range badDataTests {
-			assert.False(t, ValidCsrfToken(bdt.tok, key, userID, actionID, oneMinuteFromNow))
-		}
-	})
-}

templates/admin/auth/edit.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="id" value="{{.Source.ID}}">
 				<div class="inline field">
 					<label>{{ctx.Locale.Tr "admin.auths.auth_type"}}</label>

templates/admin/auth/new.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<!-- Types and name -->
 				<div class="inline required field {{if .Err_Type}}error{{end}}">
 					<label>{{ctx.Locale.Tr "admin.auths.auth_type"}}</label>

templates/admin/config.tmpl

@@ -228,7 +228,6 @@
 					<dt class="tw-py-1 tw-flex tw-items-center">{{ctx.Locale.Tr "admin.config.send_test_mail"}}</dt>
 					<dd class="tw-py-0">
 						<form class="ui form ignore-dirty" action="{{AppSubUrl}}/-/admin/config/test_mail" method="post">
-							{{.CsrfTokenHtml}}
 							<div class="ui tiny input">
 								<input type="email" name="email" placeholder="{{ctx.Locale.Tr "admin.config.test_email_placeholder"}}" size="29" required>
 							</div>
@@ -260,7 +259,6 @@
 				<dt class="tw-py-1 tw-flex tw-items-center">{{ctx.Locale.Tr "admin.config.cache_test"}}</dt>
 				<dd class="tw-py-0">
 					<form class="ui form ignore-dirty" action="{{AppSubUrl}}/-/admin/config/test_cache" method="post">
-						{{.CsrfTokenHtml}}
 						<button class="ui tiny primary button">{{ctx.Locale.Tr "test"}}</button>
 					</form>
 				</dd>

templates/admin/cron.tmpl

@@ -32,7 +32,6 @@
 				</tbody>
 			</table>
 			<input type="hidden" name="from" value="monitor">
-			{{.CsrfTokenHtml}}
 		</form>
 	</div>
 </div>

templates/admin/dashboard.tmpl

@@ -10,7 +10,6 @@
 		</h4>
 		<div class="ui attached table segment">
 			<form method="post" action="{{AppSubUrl}}/-/admin">
-				{{.CsrfTokenHtml}}
 				<table class="ui very basic table tw-mt-0 tw-px-4">
 					<tbody>
 						<tr>

templates/admin/emails/list.tmpl

@@ -83,8 +83,6 @@
 			<form class="content ui form" action="{{AppSubUrl}}/-/admin/emails/activate" method="post">
 				<p class="center">{{ctx.Locale.Tr "admin.emails.change_email_text"}}</p>
 
-				{{$.CsrfTokenHtml}}
-
 				<input type="hidden" name="sort" value="{{.SortType}}">
 				<input type="hidden" name="q" value="{{.Keyword}}">
 				<input type="hidden" name="is_primary" value="{{.IsPrimary}}">

templates/admin/notice.tmpl

@@ -34,7 +34,6 @@
 							<th></th>
 							<th colspan="5">
 								<form class="tw-float-right" method="post" action="{{AppSubUrl}}/-/admin/notices/empty">
-									{{.CsrfTokenHtml}}
 									<button type="submit" class="ui red small button">{{ctx.Locale.Tr "admin.notices.delete_all"}}</button>
 								</form>
 								<div class="ui floating upward dropdown small button">

templates/admin/packages/list.tmpl

@@ -6,7 +6,6 @@
 			{{ctx.Locale.Tr "admin.packages.unreferenced_size" (FileSize .TotalUnreferencedBlobSize)}})
 			<div class="ui right">
 				<form method="post" action="{{AppSubUrl}}/-/admin/packages/cleanup">
-					{{.CsrfTokenHtml}}
 					<button class="ui primary tiny button">{{ctx.Locale.Tr "admin.packages.cleanup"}}</button>
 				</form>
 			</div>
@@ -90,7 +89,6 @@
 	</div>
 
 <form class="ui small modal form-fetch-action" method="post" id="admin-package-delete-modal">
-	{{.CsrfTokenHtml}}
 	<div class="header">{{svg "octicon-trash"}} {{ctx.Locale.Tr "packages.settings.delete"}}</div>
 	<div class="content">
 		{{ctx.Locale.Tr "packages.settings.delete.notice" (HTMLFormat `<span class="%s"></span>` "package-name") (HTMLFormat `<span class="%s"></span>` "package-version")}}

templates/admin/queue_manage.tmpl

@@ -31,7 +31,6 @@
 							{{else}}
 								{{$sum}}
 								<form action="{{$.Link}}/remove-all-items" method="post" class="tw-inline-block tw-ml-4">
-									{{$.CsrfTokenHtml}}
 									<button class="ui tiny basic red button">{{ctx.Locale.Tr "admin.monitor.queue.settings.remove_all_items"}}</button>
 								</form>
 							{{end}}
@@ -47,7 +46,6 @@
 		<div class="ui attached segment">
 			<p>{{ctx.Locale.Tr "admin.monitor.queue.settings.desc"}}</p>
 			<form method="post" action="{{.Link}}/set">
-				{{$.CsrfTokenHtml}}
 				<div class="ui form">
 					<div class="inline field">
 						<label for="max-number">{{ctx.Locale.Tr "admin.monitor.queue.settings.maxnumberworkers"}}</label>

templates/admin/repo/list.tmpl

@@ -102,7 +102,6 @@
 	</div>
 
 <form class="ui small modal form-fetch-action" id="admin-repo-delete-modal" method="post">
-	{{.CsrfTokenHtml}}
 	<div class="header">{{svg "octicon-trash"}} {{ctx.Locale.Tr "repo.settings.delete"}}</div>
 	<div class="content">
 		<p>{{ctx.Locale.Tr "repo.settings.delete_desc"}}</p>

templates/admin/repo/unadopted.tmpl

@@ -32,7 +32,6 @@
 											<p>{{ctx.Locale.Tr "repo.adopt_preexisting_content" $dir}}</p>
 										</div>
 										<form class="ui form" method="post" action="{{AppSubUrl}}/-/admin/repos/unadopted">
-											{{$.CsrfTokenHtml}}
 											<input type="hidden" name="id" value="{{$dir}}">
 											<input type="hidden" name="action" value="adopt">
 											<input type="hidden" name="q" value="{{$.Keyword}}">
@@ -49,7 +48,6 @@
 											<p>{{ctx.Locale.Tr "repo.delete_preexisting_content" $dir}}</p>
 										</div>
 										<form class="ui form" method="post" action="{{AppSubUrl}}/-/admin/repos/unadopted">
-											{{$.CsrfTokenHtml}}
 											<input type="hidden" name="id" value="{{$dir}}">
 											<input type="hidden" name="action" value="delete">
 											<input type="hidden" name="q" value="{{$.Keyword}}">

templates/admin/user/edit.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="./edit" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<div class="field {{if .Err_UserName}}error{{end}}">
 					<label for="user_name">{{ctx.Locale.Tr "username"}}</label>
 					<input id="user_name" name="user_name" value="{{.User.Name}}" maxlength="40">
@@ -173,7 +172,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" action="./avatar" method="post" enctype="multipart/form-data">
-				{{.CsrfTokenHtml}}
 				{{if not .DisableGravatar}}
 				<div class="inline field">
 					<div class="ui radio checkbox">
@@ -214,7 +212,6 @@
 	<form class="ui form" method="post" action="./delete">
 		<div class="content">
 			<p>{{ctx.Locale.Tr "settings.delete_account_desc"}}</p>
-			{{$.CsrfTokenHtml}}
 			<div class="field">
 				<div class="ui checkbox">
 					<label for="purge">{{ctx.Locale.Tr "admin.users.purge"}}</label>

templates/admin/user/new.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<!-- Types and name -->
 				<div class="inline required field {{if .Err_LoginType}}error{{end}}">
 					<label>{{ctx.Locale.Tr "admin.users.auth_source"}}</label>

templates/base/head.tmpl

@@ -23,7 +23,7 @@
 	{{template "base/head_script" .}}
 	{{template "custom/header" .}}
 </head>
-<body hx-headers='{"x-csrf-token": "{{.CsrfToken}}"}' hx-swap="outerHTML" hx-ext="morph" hx-push-url="false">
+<body hx-swap="outerHTML" hx-ext="morph" hx-push-url="false">
 	{{template "custom/body_outer_pre" .}}
 
 	<div class="full height">

templates/base/head_navbar.tmpl

@@ -158,7 +158,6 @@
 				</a>
 				<div class="tw-flex tw-gap-1">
 					<form class="stopwatch-commit form-fetch-action" method="post" action="{{$activeStopwatch.IssueLink}}/times/stopwatch/stop">
-						{{.CsrfTokenHtml}}
 						<button
 							type="submit"
 							class="ui button mini compact basic icon tw-mr-0"
@@ -166,7 +165,6 @@
 						>{{svg "octicon-square-fill"}}</button>
 					</form>
 					<form class="stopwatch-cancel form-fetch-action" method="post" action="{{$activeStopwatch.IssueLink}}/times/stopwatch/cancel">
-						{{.CsrfTokenHtml}}
 						<button
 							type="submit"
 							class="ui button mini compact basic icon tw-mr-0"

templates/base/head_script.tmpl

@@ -13,7 +13,6 @@ If you introduce mistakes in it, Gitea JavaScript code wouldn't run correctly.
 		assetUrlPrefix: '{{AssetUrlPrefix}}',
 		runModeIsProd: {{.RunModeIsProd}},
 		customEmojis: {{CustomEmojis}},
-		csrfToken: '{{.CsrfToken}}',
 		pageData: {{.PageData}},
 		notificationSettings: {{NotificationSettings}}, {{/*a map provided by NewFuncMap in helper.go*/}}
 		enableTimeTracking: {{EnableTimetracking}},

templates/org/create.tmpl

@@ -7,7 +7,6 @@
 		</h3>
 		<div class="ui attached segment">
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="inline required field {{if .Err_OrgName}}error{{end}}">
 					<label for="org_name">{{ctx.Locale.Tr "org.org_name_holder"}}</label>
 					<input id="org_name" name="org_name" value="{{.org_name}}" autofocus required maxlength="40">

templates/org/settings/options.tmpl

@@ -6,7 +6,6 @@
 	</h4>
 	<div class="ui attached segment">
 		<form class="ui form" action="{{.Link}}" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field {{if .Err_FullName}}error{{end}}">
 				<label for="full_name">{{ctx.Locale.Tr "org.org_full_name_holder"}}</label>
 				<input id="full_name" name="full_name" value="{{.Org.FullName}}" maxlength="100">
@@ -57,7 +56,6 @@
 		<div class="divider"></div>
 
 		<form class="ui form" action="{{.Link}}/avatar" method="post" enctype="multipart/form-data">
-			{{.CsrfTokenHtml}}
 			<div class="inline field">
 				{{template "shared/avatar_upload_crop" dict "LabelText" (ctx.Locale.Tr "settings.choose_new_avatar")}}
 			</div>

templates/org/settings/options_dangerzone.tmpl

@@ -47,7 +47,6 @@
 			</ul>
 		</div>
 		<form class="ui form form-fetch-action" action="{{.Link}}/visibility" method="post">
-			{{.CsrfTokenHtml}}
 			<input type="hidden" name="current_visibility" value="{{.CurrentVisibility}}">
 			<div class="tw-flex tw-flex-col tw-gap-3">
 				<label>{{ctx.Locale.Tr "org.settings.visibility"}}</label>
@@ -85,7 +84,6 @@
 			</ul>
 		</div>
 		<form class="ui form form-fetch-action" action="{{.Link}}/rename" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				<label>
 					{{ctx.Locale.Tr "org.settings.name_confirm"}}
@@ -124,7 +122,6 @@
 			</ul>
 		</div>
 		<form class="ui form form-fetch-action" action="{{.Link}}/delete" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				<label>
 					{{ctx.Locale.Tr "org.settings.name_confirm"}}

templates/org/team/invite.tmpl

@@ -13,7 +13,6 @@
 			</div>
 			<div class="extra content">
 				<form class="ui form" action="" method="post">
-					{{.CsrfTokenHtml}}
 					<button class="fluid ui primary button">{{ctx.Locale.Tr "org.teams.join"}}</button>
 				</form>
 			</div>

templates/org/team/members.tmpl

@@ -10,7 +10,6 @@
 				{{if .IsOrganizationOwner}}
 					<div class="ui top attached segment">
 						<form class="ui form ignore-dirty tw-flex tw-flex-wrap tw-gap-2" action="{{$.OrgLink}}/teams/{{$.Team.LowerName | PathEscape}}/action/add" method="post">
-							{{.CsrfTokenHtml}}
 							<input type="hidden" name="uid" value="{{.SignedUser.ID}}">
 							<div id="search-user-box" class="ui search tw-mr-2"{{if .IsEmailInviteEnabled}} data-allow-email="true" data-allow-email-description="{{ctx.Locale.Tr "org.teams.invite_team_member" $.Team.Name}}"{{end}}>
 								<div class="ui input">
@@ -62,7 +61,6 @@
 								</div>
 								<div class="flex-item-trailing">
 									<form action="{{$.OrgLink}}/teams/{{$.Team.LowerName | PathEscape}}/action/remove_invite" method="post">
-										{{$.CsrfTokenHtml}}
 										<input type="hidden" name="iid" value="{{.ID}}">
 										<button class="ui red button">{{ctx.Locale.Tr "org.members.remove"}}</button>
 									</form>

templates/org/team/new.tmpl

@@ -5,7 +5,6 @@
 		<div class="ui grid">
 			<div class="column">
 				<form class="ui form" action="{{if .PageIsOrgTeamsNew}}{{.OrgLink}}/teams/new{{else}}{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/edit{{end}}" data-delete-url="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/delete" method="post">
-					{{.CsrfTokenHtml}}
 					<h3 class="ui top attached header">
 						{{if .PageIsOrgTeamsNew}}{{ctx.Locale.Tr "org.create_new_team"}}{{else}}{{ctx.Locale.Tr "org.teams.settings"}}{{end}}
 					</h3>

templates/org/team/repositories.tmpl

@@ -11,7 +11,6 @@
 				{{if $canAddRemove}}
 					<div class="ui top attached segment tw-flex tw-flex-wrap tw-gap-2">
 						<form class="ui form ignore-dirty tw-flex-1 tw-flex" action="{{$.OrgLink}}/teams/{{$.Team.LowerName | PathEscape}}/action/repo/add" method="post">
-							{{.CsrfTokenHtml}}
 							<div data-global-init="initSearchRepoBox" data-uid="{{.Org.ID}}" class="ui search">
 								<div class="ui input">
 									<input class="prompt" name="repo_name" placeholder="{{ctx.Locale.Tr "search.repo_kind"}}" autocomplete="off" required>
@@ -40,7 +39,6 @@
 								<div class="flex-item-trailing">
 									{{if $canAddRemove}}
 										<form method="post" action="{{$.OrgLink}}/teams/{{$.Team.LowerName | PathEscape}}/action/repo/remove">
-											{{$.CsrfTokenHtml}}
 											<button type="submit" class="ui red small button" name="repoid" value="{{.ID}}">{{ctx.Locale.Tr "remove"}}</button>
 										</form>
 									{{end}}

templates/org/team/sidebar.tmpl

@@ -10,7 +10,6 @@
 				</form>
 			{{else if .IsOrganizationOwner}}
 				<form method="post" action="{{.OrgLink}}/teams/{{.Team.LowerName | PathEscape}}/action/join">
-					{{$.CsrfTokenHtml}}
 					<input type="hidden" name="page" value="team">
 					<button type="submit" class="ui primary tiny button" name="uid" value="{{$.SignedUser.ID}}">{{ctx.Locale.Tr "org.teams.join"}}</button>
 				</form>

templates/org/team/teams.tmpl

@@ -25,7 +25,6 @@
 								</form>
 							{{else if $.IsOrganizationOwner}}
 								<form method="post" action="{{$.OrgLink}}/teams/{{.LowerName | PathEscape}}/action/join">
-									{{$.CsrfTokenHtml}}
 									<button type="submit" class="ui primary tiny button" name="uid" value="{{$.SignedUser.ID}}">{{ctx.Locale.Tr "org.teams.join"}}</button>
 								</form>
 							{{end}}

templates/package/settings.tmpl

@@ -17,7 +17,6 @@
 		<div class="ui attached segment">
 			<p>{{ctx.Locale.Tr "packages.settings.link.description"}}</p>
 			<form class="ui form form-fetch-action ignore-dirty flex-text-block" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="link">
 				<div data-global-init="initSearchRepoBox" class="ui search" data-uid="{{.PackageDescriptor.Owner.ID}}">
 					<div class="ui input">
@@ -49,7 +48,6 @@
 								{{ctx.Locale.Tr "packages.settings.delete.notice" .PackageDescriptor.Package.Name .PackageDescriptor.Version.Version}}
 							</div>
 							<form class="ui form" action="{{.Link}}" method="post">
-								{{.CsrfTokenHtml}}
 								<input type="hidden" name="action" value="delete">
 								{{template "base/modal_actions_confirm" .}}
 							</form>

templates/package/shared/cargo.tmpl

@@ -7,14 +7,12 @@
 			<label>{{ctx.Locale.Tr "packages.owner.settings.cargo.initialize.description"}}</label>
 		</div>
 		<form class="field" action="{{.Link}}/cargo/initialize" method="post">
-			{{.CsrfTokenHtml}}
 			<button class="ui primary button">{{ctx.Locale.Tr "packages.owner.settings.cargo.initialize"}}</button>
 		</form>
 		<div class="field">
 			<label>{{ctx.Locale.Tr "packages.owner.settings.cargo.rebuild.description"}}</label>
 		</div>
 		<form class="field" action="{{.Link}}/cargo/rebuild" method="post">
-			{{.CsrfTokenHtml}}
 			<button class="ui primary button">{{ctx.Locale.Tr "packages.owner.settings.cargo.rebuild"}}</button>
 		</form>
 		<div class="field">

templates/package/shared/cleanup_rules/edit.tmpl

@@ -1,7 +1,6 @@
 <h4 class="ui top attached header">{{if .IsEditRule}}{{ctx.Locale.Tr "packages.owner.settings.cleanuprules.edit"}}{{else}}{{ctx.Locale.Tr "packages.owner.settings.cleanuprules.add"}}{{end}}</h4>
 <div class="ui attached segment">
 	<form class="ui form" action="{{.Link}}" method="post">
-		{{.CsrfTokenHtml}}
 		<input name="id" type="hidden" value="{{.CleanupRule.ID}}">
 		<div class="field">
 			<div class="ui checkbox">

templates/projects/new.tmpl

@@ -9,7 +9,6 @@
 </h2>
 {{template "base/alert" .}}
 <form class="ui form" action="{{.Link}}" method="post">
-	{{.CsrfTokenHtml}}
 	<div>
 		<input type="hidden" id="redirect" name="redirect" value="{{.redirect}}">
 		<div class="field {{if .Err_Title}}error{{end}}">

templates/repo/actions/workflow_dispatch.tmpl

@@ -5,7 +5,6 @@
 <div id="runWorkflowDispatchModal" class="ui tiny modal">
 	<div class="content">
 		<form id="runWorkflowDispatchForm" class="ui form" action="{{$.Link}}/run?workflow={{$.CurWorkflow}}&actor={{$.CurActor}}&status={{.Status}}" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="ui inline field required tw-flex tw-items-center">
 				<span class="ui inline required field">
 					<label>{{ctx.Locale.Tr "actions.workflow.from_ref"}}:</label>

templates/repo/branch/list.tmpl

@@ -230,7 +230,6 @@
 
 	<form class="ui form" id="create-branch-form" action="" data-base-action="{{.Link}}/_new/branch/" method="post">
 		<div class="content">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				{{ctx.Locale.Tr "repo.branch.create_new_branch"}}
 				<span id="modal-create-branch-from-span"></span>
@@ -250,7 +249,6 @@
 	</div>
 	<form class="ui form" action="{{$.Repository.Link}}/branches/rename" method="post">
 		<div class="content">
-			{{.CsrfTokenHtml}}
 			<div class="field default-branch-warning">
 				<span class="text red">{{ctx.Locale.Tr "repo.branch.warning_rename_default_branch"}}</span>
 			</div>

templates/repo/commit_page.tmpl

@@ -72,7 +72,6 @@
 										</div>
 										<div class="content">
 											<form class="ui form" id="create-branch-form" action="" data-base-action="{{.RepoLink}}/branches/_new/commit/" method="post">
-												{{.CsrfTokenHtml}}
 												<div class="field">
 													<label>
 														{{ctx.Locale.Tr "repo.branch.new_branch_from" (HTMLFormat `<span class="%s" id="%s"></span>` "text" "modal-create-branch-from-span")}}
@@ -96,7 +95,6 @@
 										</div>
 										<div class="content">
 											<form class="ui form" id="create-tag-form" action="" data-base-action="{{.RepoLink}}/branches/_new/commit/" method="post">
-												{{.CsrfTokenHtml}}
 												<input type="hidden" name="create_tag" value="true">
 												<div class="field">
 													<label>

templates/repo/create.tmpl

@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			{{template "repo/create_helper" .}}
 			<form class="ui form left-right-form new-repo-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div id="create-repo-error-message" class="ui negative message tw-text-center tw-hidden"></div>
 				<div class="inline required field {{if .Err_Owner}}error{{end}}">
 					<label>{{ctx.Locale.Tr "repo.owner"}}</label>

templates/repo/diff/comment_form.tmpl

@@ -1,6 +1,5 @@
 {{if and $.root.SignedUserID (not $.Repository.IsArchived)}}
 	<form class="ui form {{if $.hidden}}tw-hidden comment-form{{end}}" action="{{$.root.Issue.Link}}/files/reviews/comments" method="post">
-	{{$.root.CsrfTokenHtml}}
 		<input type="hidden" name="origin" value="{{if $.root.PageIsPullFiles}}diff{{else}}timeline{{end}}">
 		<input type="hidden" name="latest_commit_id" value="{{$.root.AfterCommitID}}">
 		<input type="hidden" name="side" value="{{if $.Side}}{{$.Side}}{{end}}">

templates/repo/diff/new_review.tmpl

@@ -12,7 +12,6 @@
 <div class="review-box-panel tippy-target">
 	<div class="ui segment">
 		<form class="ui form form-fetch-action" action="{{.Link}}/reviews/submit" method="post">
-			{{.CsrfTokenHtml}}
 			<input type="hidden" name="commit_id" value="{{.AfterCommitID}}">
 			<div class="field tw-flex tw-items-center">
 				<div class="tw-flex-1">{{ctx.Locale.Tr "repo.diff.review.header"}}</div>

templates/repo/editor/cherry_pick.tmpl

@@ -4,7 +4,6 @@
 	<div class="ui container">
 		{{template "base/alert" .}}
 		<form class="ui edit form form-fetch-action" method="post" action="{{.CommitFormOptions.TargetFormAction}}">
-			{{.CsrfTokenHtml}}
 			{{template "repo/editor/common_top" .}}
 			<input type="hidden" name="revert" value="{{if eq .CherryPickType "revert"}}true{{else}}false{{end}}">
 			<div class="repo-editor-header">

templates/repo/editor/delete.tmpl

@@ -7,7 +7,6 @@
 			{{template "repo/view_file_tree" .}}
 			<div class="repo-view-content">
 				<form class="ui form form-fetch-action" method="post" action="{{.CommitFormOptions.TargetFormAction}}">
-					{{.CsrfTokenHtml}}
 					{{template "repo/editor/common_top" .}}
 					<div class="repo-editor-header">
 						{{/* although the UI isn't good enough, this header is necessary for the "left file tree view" toggle button, this button must exist */}}

templates/repo/editor/edit.tmpl

@@ -10,7 +10,6 @@
 					data-text-empty-confirm-header="{{ctx.Locale.Tr "repo.editor.commit_empty_file_header"}}"
 					data-text-empty-confirm-content="{{ctx.Locale.Tr "repo.editor.commit_empty_file_text"}}"
 				>
-					{{.CsrfTokenHtml}}
 					{{template "repo/editor/common_top" .}}
 					<div class="repo-editor-header">
 						{{template "repo/view_file_tree_toggle_button" .}}

templates/repo/editor/fork.tmpl

@@ -4,7 +4,6 @@
 	<div class="ui container">
 		{{template "base/alert" .}}
 		<form class="ui form form-fetch-action" method="post" action="{{.RepoLink}}/_fork/{{.BranchName | PathEscapeSegments}}">
-			{{.CsrfTokenHtml}}
 			<div class="tw-text-center">
 				<div class="tw-my-[40px]">
 					<h3>{{ctx.Locale.Tr "repo.editor.fork_create"}}</h3>

templates/repo/editor/patch.tmpl

@@ -7,7 +7,6 @@
 					data-text-empty-confirm-header="{{ctx.Locale.Tr "repo.editor.commit_empty_file_header"}}"
 					data-text-empty-confirm-content="{{ctx.Locale.Tr "repo.editor.commit_empty_file_text"}}"
 		>
-			{{.CsrfTokenHtml}}
 			{{template "repo/editor/common_top" .}}
 			<div class="repo-editor-header">
 				<div class="breadcrumb">

templates/repo/editor/upload.tmpl

@@ -7,7 +7,6 @@
 			{{template "repo/view_file_tree" .}}
 			<div class="repo-view-content">
 				<form class="ui comment form form-fetch-action" method="post" action="{{.CommitFormOptions.TargetFormAction}}">
-					{{.CsrfTokenHtml}}
 					{{template "repo/editor/common_top" .}}
 					<div class="repo-editor-header">
 						{{template "repo/view_file_tree_toggle_button" .}}

templates/repo/header.tmpl

@@ -41,7 +41,6 @@
 				<div class="flex-text-block tw-flex-wrap">
 					{{if $.RepoTransfer}}
 						<form method="post" action="{{$.RepoLink}}/action/accept_transfer?redirect_to={{$.RepoLink}}">
-							{{$.CsrfTokenHtml}}
 							<div class="flex-text-inline" data-tooltip-content="{{if $.CanUserAcceptOrRejectTransfer}}{{ctx.Locale.Tr "repo.transfer.accept_desc" $.RepoTransfer.Recipient.DisplayName}}{{else}}{{ctx.Locale.Tr "repo.transfer.no_permission_to_accept"}}{{end}}">
 								<button type="submit" class="ui compact small basic button {{if $.CanUserAcceptOrRejectTransfer}}primary {{end}} ok small"{{if not $.CanUserAcceptOrRejectTransfer}} disabled{{end}}>
 									{{ctx.Locale.Tr "repo.transfer.accept"}}
@@ -49,7 +48,6 @@
 							</div>
 						</form>
 						<form method="post" action="{{$.RepoLink}}/action/reject_transfer?redirect_to={{$.RepoLink}}">
-							{{$.CsrfTokenHtml}}
 							<div class="flex-text-inline" data-tooltip-content="{{if $.CanUserAcceptOrRejectTransfer}}{{ctx.Locale.Tr "repo.transfer.reject_desc" $.RepoTransfer.Recipient.DisplayName}}{{else}}{{ctx.Locale.Tr "repo.transfer.no_permission_to_reject"}}{{end}}">
 								<button type="submit" class="ui compact small basic button {{if $.CanUserAcceptOrRejectTransfer}}red {{end}}ok small"{{if not $.CanUserAcceptOrRejectTransfer}} disabled{{end}}>
 									{{ctx.Locale.Tr "repo.transfer.reject"}}

templates/repo/issue/labels/label_edit_modal.tmpl

@@ -6,7 +6,6 @@
 	<div class="header"></div>
 	<div class="content">
 		<form class="ui form ignore-dirty form-fetch-action" method="post">
-			{{.CsrfTokenHtml}}
 			<input name="id" type="hidden">
 			<div class="required field">
 				<label for="name">{{ctx.Locale.Tr "repo.issues.label_title"}}</label>

templates/repo/issue/labels/label_load_template.tmpl

@@ -2,7 +2,6 @@
 	<div class="twelve wide computer column">
 		<p>{{ctx.Locale.Tr "repo.issues.label_templates.info"}}</p>
 		<form class="ui form center" action="{{.Link}}/initialize" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				<div class="ui selection dropdown">
 					<input type="hidden" name="template_name" value="Default">

templates/repo/issue/milestone_new.tmpl

@@ -22,7 +22,6 @@
 		</h2>
 		{{template "base/alert" .}}
 		<form class="ui form" action="{{.Link}}" method="post">
-			{{.CsrfTokenHtml}}
 				<div class="field {{if .Err_Title}}error{{end}}">
 					<label>{{ctx.Locale.Tr "repo.milestones.title"}}</label>
 					<input name="title" placeholder="{{ctx.Locale.Tr "repo.milestones.title"}}" value="{{.title}}" autofocus required maxlength="50">

templates/repo/issue/new_form.tmpl

@@ -1,6 +1,5 @@
 {{template "base/alert" .}}
 <form class="issue-content ui comment form form-fetch-action" id="new-issue" action="{{.Link}}" method="post">
-	{{.CsrfTokenHtml}}
 	<div class="issue-content-left">
 		<div class="ui comments">
 			<div class="comment">

templates/repo/issue/sidebar/due_date.tmpl

@@ -21,7 +21,6 @@
 		<form class="ui fluid action input issue-due-form form-fetch-action tw-mt-2 {{if .Issue.DeadlineUnix}}tw-hidden{{end}}"
 					method="post" action="{{AppSubUrl}}/{{PathEscape .Repository.Owner.Name}}/{{PathEscape .Repository.Name}}/issues/{{.Issue.Index}}/deadline"
 		>
-			{{$.CsrfTokenHtml}}
 			<input required type="date" name="deadline" placeholder="{{ctx.Locale.Tr "repo.issues.due_date_form"}}" {{if .Issue.DeadlineUnix}}value="{{.Issue.DeadlineUnix.FormatDate}}"{{end}}>
 			<button class="ui icon button">{{Iif .Issue.DeadlineUnix (svg "octicon-pencil") (svg "octicon-plus")}}</button>
 		</form>

templates/repo/issue/sidebar/issue_dependencies.tmpl

@@ -110,7 +110,6 @@
 		{{if and .CanCreateIssueDependencies (not .Repository.IsArchived)}}
 			<div>
 				<form method="post" action="{{.Issue.Link}}/dependency/add" id="addDependencyForm">
-					{{$.CsrfTokenHtml}}
 					<div class="ui fluid action input">
 						<div class="ui search selection dropdown" id="new-dependency-drop-list" data-issue-id="{{.Issue.ID}}" data-issue-cross-repo-search="{{.AllowCrossRepositoryDependencies}}">
 							<input name="newDependency" type="hidden">
@@ -131,7 +130,6 @@
 		<form id="issue-remove-dependency-confirm" class="ui g-modal-confirm modal" method="post" action="{{.Issue.Link}}/dependency/delete">
 			<div class="header">{{svg "octicon-trash"}} {{ctx.Locale.Tr "repo.issues.dependency.remove_header"}}</div>
 			<div class="content">
-				{{$.CsrfTokenHtml}}
 				<input type="hidden" value="" name="removeDependencyID" class="remove-dependency-id">
 				<input type="hidden" value="" name="dependencyType" class="dependency-type">
 				<p>

templates/repo/issue/sidebar/issue_management.tmpl

@@ -4,7 +4,6 @@
 	{{/* Pin issue */}}
 	{{if or .PinEnabled .Issue.IsPinned}}
 		<form class="tw-mt-1 form-fetch-action single-button-form" method="post" {{if $.NewPinAllowed}}action="{{.Issue.Link}}/pin"{{else}}data-tooltip-content="{{ctx.Locale.Tr "repo.issues.max_pinned"}}"{{end}}>
-			{{$.CsrfTokenHtml}}
 			<button class="fluid ui button {{if not $.NewPinAllowed}}disabled{{end}}">
 				{{if not .Issue.IsPinned}}
 					{{svg "octicon-pin"}}
@@ -46,7 +45,6 @@
 			</div>
 
 			<form class="ui form form-fetch-action" method="post" action="{{.Issue.Link}}{{if .Issue.IsLocked}}/unlock{{else}}/lock{{end}}">
-				{{.CsrfTokenHtml}}
 
 				{{if not .Issue.IsLocked}}
 					<div class="field">
@@ -103,7 +101,6 @@
 			</p>
 		</div>
 		<form action="{{.Issue.Link}}/delete" method="post">
-			{{.CsrfTokenHtml}}
 			{{template "base/modal_actions_confirm" .}}
 		</form>
 	</div>

templates/repo/issue/sidebar/reviewer_list.tmpl

@@ -115,7 +115,6 @@
 				{{ctx.Locale.Tr "repo.issues.dismiss_review_warning"}}
 			</div>
 			<form class="ui form" action="{{$pageMeta.RepoLink}}/issues/dismiss_review" method="post">
-				{{ctx.RootData.CsrfTokenHtml}}
 				<input type="hidden" class="reviewer-id" name="review_id">
 				<div class="field">
 					<label for="issue-sidebar-dismiss-review-message">{{ctx.Locale.Tr "action.review_dismissed_reason"}}</label>

templates/repo/issue/sidebar/stopwatch_timetracker.tmpl

@@ -39,7 +39,6 @@
 				<div class="header">{{ctx.Locale.Tr "repo.issues.time_estimate_set"}}</div>
 				<form method="post" class="ui form form-fetch-action" action="{{.Issue.Link}}/time_estimate">
 					<div class="content">
-						{{$.CsrfTokenHtml}}
 						<input name="time_estimate" placeholder="1h 2m" value="{{TimeEstimateString .Issue.TimeEstimate}}">
 						<div class="actions">
 							<button class="ui cancel button">{{ctx.Locale.Tr "cancel"}}</button>
@@ -54,7 +53,6 @@
 				<div class="header">{{ctx.Locale.Tr "repo.issues.add_time_manually"}}</div>
 				<form method="post" class="ui form form-fetch-action" action="{{.Issue.Link}}/times/add">
 					<div class="content flex-text-block">
-						{{$.CsrfTokenHtml}}
 						<input placeholder='{{ctx.Locale.Tr "repo.issues.add_time_hours"}}' type="number" name="hours">:
 						<input placeholder='{{ctx.Locale.Tr "repo.issues.add_time_minutes"}}' type="number" name="minutes">
 					</div>

templates/repo/issue/view_content.tmpl

@@ -81,7 +81,6 @@
 						<div class="ui segment avatar-content-left-arrow">
 							<form class="ui form form-fetch-action" id="comment-form" action="{{$.RepoLink}}/issues/{{.Issue.Index}}/comments" method="post">
 								{{template "repo/issue/comment_tab" .}}
-								{{.CsrfTokenHtml}}
 								<div class="field footer">
 									<div class="flex-text-block tw-justify-end">
 										{{if and (or .HasIssuesOrPullsWritePermission .IsIssuePoster) (not .DisableStatusChange)}}

templates/repo/issue/view_content/pull_merge_box.tmpl

@@ -384,7 +384,6 @@
 			{{if and $.StillCanManualMerge (not $showGeneralMergeForm)}}
 				<div class="divider"></div>
 				<form class="ui form form-fetch-action" action="{{.Issue.Link}}/merge" method="post">{{/* another similar form is in PullRequestMergeForm.vue*/}}
-					{{.CsrfTokenHtml}}
 					<div class="field">
 						<input type="text" name="merge_commit_id" placeholder="{{ctx.Locale.Tr "repo.pulls.merge_commit_id"}}">
 					</div>

templates/repo/issue/view_content/reference_issue_dialog.tmpl

@@ -4,7 +4,6 @@
 	</div>
 	<div class="content">
 		<form class="ui form form-fetch-action" action="{{.Repository.Link}}/issues/new" method="post">
-			{{.CsrfTokenHtml}}
 			<div class="field">
 				<label><strong>{{ctx.Locale.Tr "repository"}}</strong></label>
 				<div class="ui search selection dropdown issue_reference_repository_search ellipsis-text-items">

templates/repo/issue/view_content/update_branch_by_merge.tmpl

@@ -26,7 +26,6 @@
 			{{end}}
 			{{if and $.UpdateAllowed (not $.UpdateByRebaseAllowed)}}
 				<form action="{{$.Issue.Link}}/update" method="post" class="ui update-branch-form">
-					{{$.CsrfTokenHtml}}
 					<button class="ui compact button">
 						<span class="ui text">{{ctx.Locale.Tr "repo.pulls.update_branch"}}</span>
 					</button>

templates/repo/migrate/codebase.tmpl

@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 

templates/repo/migrate/codecommit.tmpl

@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 

templates/repo/migrate/git.tmpl

@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 

templates/repo/migrate/gitbucket.tmpl

@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 

templates/repo/migrate/gitea.tmpl

@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 

templates/repo/migrate/github.tmpl

@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 

templates/repo/migrate/gitlab.tmpl

@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 

templates/repo/migrate/gogs.tmpl

@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 

templates/repo/migrate/migrating.tmpl

@@ -64,7 +64,6 @@
 			{{end}}
 		</div>
 		<form class="ui form" action="{{.Link}}/settings" method="post">
-			{{.CsrfTokenHtml}}
 			<input type="hidden" name="action" value="delete">
 			<div class="field">
 				<label>
@@ -90,7 +89,6 @@
 		{{ctx.Locale.Tr "repo.migrate.cancel_migrating_title"}}
 	</div>
 	<form action="{{.Link}}/settings/migrate/cancel" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="content">
 			{{ctx.Locale.Tr "repo.migrate.cancel_migrating_confirm"}}
 		</div>

templates/repo/migrate/onedev.tmpl

@@ -8,7 +8,6 @@
 			{{template "base/alert" .}}
 			<form class="ui form left-right-form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 
 				<input id="service_type" type="hidden" name="service" value="{{.service}}">
 

templates/repo/pulls/fork.tmpl

@@ -7,7 +7,6 @@
 		<div class="ui attached segment">
 			{{template "base/alert" .}}
 			<form class="ui form form-fetch-action left-right-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div class="inline required field {{if .Err_Owner}}error{{end}}">
 					<label>{{ctx.Locale.Tr "repo.owner"}}</label>
 					<div class="ui selection owner dropdown ellipsis-text-items">

templates/repo/release/new.tmpl

@@ -19,7 +19,6 @@
 			data-tag-helper-new="{{ctx.Locale.Tr "repo.release.tag_helper_new"}}"
 			data-tag-helper-existing="{{ctx.Locale.Tr "repo.release.tag_helper_existing"}}"
 		>
-			{{.CsrfTokenHtml}}
 			<div class="inline field {{if .Err_TagName}}error{{end}}">
 				<label class="tw-block tw-mb-1"><b>{{ctx.Locale.Tr "repo.git_tag"}}</b></label>
 				{{if .PageIsEditRelease}}

templates/repo/settings/actions_general.tmpl

@@ -4,7 +4,6 @@
 	</h4>
 	<div class="ui attached segment">
 		<form class="ui form" action="{{.Link}}/actions_unit" method="post">
-			{{.CsrfTokenHtml}}
 			{{$isActionsEnabled := .Repository.UnitEnabled ctx ctx.Consts.RepoUnitTypeActions}}
 			{{$isActionsGlobalDisabled := ctx.Consts.RepoUnitTypeActions.UnitGlobalDisabled}}
 			<div class="inline field">
@@ -55,7 +54,6 @@
 	{{end}}
 	<div class="ui bottom attached segment">
 		<form class="ui form form-fetch-action" action="{{.Link}}/collaborative_owner/add" method="post">
-			{{.CsrfTokenHtml}}
 			<div id="search-user-box" class="ui search input tw-align-middle" data-include-orgs="true">
 				<input class="prompt" name="collaborative_owner" placeholder="{{ctx.Locale.Tr "search.user_kind"}}" autocomplete="off" autofocus required>
 			</div>

templates/repo/settings/branches.tmpl

@@ -13,7 +13,6 @@
 					{{ctx.Locale.Tr "repo.settings.default_branch_desc"}}
 				</p>
 				<form class="tw-flex" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<input type="hidden" name="action" value="default_branch">
 					<div class="ui dropdown selection search tw-flex-1 tw-mr-2 tw-max-w-96">
 						{{svg "octicon-triangle-down" 14 "dropdown icon"}}

templates/repo/settings/collaboration.tmpl

@@ -40,7 +40,6 @@
 		{{end}}
 		<div class="ui bottom attached segment">
 			<form class="ui form" id="repo-collab-form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<div id="search-user-box" class="ui search input tw-align-middle">
 					<input class="prompt" name="collaborator" placeholder="{{ctx.Locale.Tr "search.user_kind"}}" autocomplete="off" autofocus required>
 				</div>
@@ -108,7 +107,6 @@
 			<div class="ui bottom attached segment">
 				{{if $allowedToChangeTeams}}
 					<form class="ui form" id="repo-collab-team-form" action="{{.Link}}/team" method="post">
-						{{.CsrfTokenHtml}}
 						<div id="search-team-box" class="ui search input tw-align-middle" data-org-name="{{.OrgName}}">
 							<input class="prompt" name="team" placeholder="{{ctx.Locale.Tr "search.team_kind"}}" autocomplete="off" required>
 						</div>

templates/repo/settings/deploy_keys.tmpl

@@ -13,7 +13,6 @@
 		<div class="ui attached segment">
 			<div class="{{if not .HasError}}tw-hidden{{end}} tw-mb-4" id="add-deploy-key-panel">
 				<form class="ui form" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<div class="field">
 						{{ctx.Locale.Tr "repo.settings.deploy_key_desc"}}
 					</div>

templates/repo/settings/githook_edit.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<p>{{ctx.Locale.Tr "repo.settings.githook_edit_desc"}}</p>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				{{with .Hook}}
 					<div class="inline field">
 						<label>{{ctx.Locale.Tr "repo.settings.githook_name"}}</label>

templates/repo/settings/lfs.tmpl

@@ -43,7 +43,6 @@
 						{{ctx.Locale.Tr "repo.settings.lfs_delete_warning"}}
 					</p>
 					<form class="ui form" action="{{$.Link}}/delete/{{.Oid}}" method="post">
-						{{$.CsrfTokenHtml}}
 						{{template "base/modal_actions_confirm"}}
 					</form>
 				</div>

templates/repo/settings/lfs_locks.tmpl

@@ -6,7 +6,6 @@
 			</h4>
 			<div class="ui attached segment">
 				<form class="ui form ignore-dirty" method="post">
-					{{$.CsrfTokenHtml}}
 					<div class="ui fluid action input">
 						<input name="path" value="" placeholder="{{ctx.Locale.Tr "repo.settings.lfs_lock_path"}}" autofocus>
 						<button class="ui primary button">{{ctx.Locale.Tr "repo.settings.lfs_lock"}}</button>
@@ -38,7 +37,6 @@
 							<td>{{DateUtils.TimeSince .Created}}</td>
 							<td class="tw-text-right">
 								<form action="{{$.LFSFilesLink}}/locks/{{$lock.ID}}/unlock" method="post">
-									{{$.CsrfTokenHtml}}
 									<button class="ui primary button"><span class="btn-octicon">{{svg "octicon-lock"}}</span>{{ctx.Locale.Tr "repo.settings.lfs_force_unlock"}}</button>
 								</form>
 							</td>

templates/repo/settings/lfs_pointers.tmpl

@@ -5,7 +5,6 @@
 			{{if gt .NumAssociatable 0}}
 				<div class="ui right">
 					<form class="ui form" method="post" action="{{$.Link}}/associate">
-						{{.CsrfTokenHtml}}
 						{{range .Pointers}}
 							{{if .Associatable}}
 								<input type="hidden" name="oid" value="{{.Oid}} {{.Size}}">

templates/repo/settings/options.tmpl

@@ -6,7 +6,6 @@
 		<div class="ui attached segment">
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{template "base/disable_form_autofill"}}
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="update">
 				<div class="required field {{if .Err_RepoName}}error{{end}}">
 					<label>{{ctx.Locale.Tr "repo.repo_name"}}</label>
@@ -38,7 +37,6 @@
 
 			<div class="divider"></div>
 			<form class="ui form" action="{{.Link}}/avatar" method="post" enctype="multipart/form-data">
-				{{.CsrfTokenHtml}}
 				<div class="inline field">
 					{{template "shared/avatar_upload_crop" dict "LabelText" (ctx.Locale.Tr "settings.choose_new_avatar")}}
 				</div>
@@ -119,7 +117,6 @@
 								<td>{{DateUtils.FullTime .PullMirror.UpdatedUnix}}</td>
 								<td class="tw-text-right">
 									<form method="post" class="tw-inline-block">
-										{{.CsrfTokenHtml}}
 										<input type="hidden" name="action" value="mirror-sync">
 										<button class="ui primary tiny button inline">{{ctx.Locale.Tr "repo.settings.sync_mirror"}}</button>
 									</form>
@@ -129,7 +126,6 @@
 								<td colspan="4">
 									<form class="ui form" method="post">
 										{{template "base/disable_form_autofill"}}
-										{{.CsrfTokenHtml}}
 										<input type="hidden" name="action" value="mirror">
 										<div class="inline field {{if .Err_EnablePrune}}error{{end}}">
 											<label>{{ctx.Locale.Tr "repo.mirror_prune"}}</label>
@@ -226,13 +222,11 @@
 										{{svg "octicon-pencil" 14}}
 									</button>
 									<form method="post" class="tw-inline-block">
-										{{$.CsrfTokenHtml}}
 										<input type="hidden" name="action" value="push-mirror-sync">
 										<input type="hidden" name="push_mirror_id" value="{{.ID}}">
 										<button class="ui primary tiny button" data-tooltip-content="{{ctx.Locale.Tr "repo.settings.sync_mirror"}}">{{svg "octicon-sync" 14}}</button>
 									</form>
 									<form method="post" class="tw-inline-block">
-										{{$.CsrfTokenHtml}}
 										<input type="hidden" name="action" value="push-mirror-remove">
 										<input type="hidden" name="push_mirror_id" value="{{.ID}}">
 										<button class="ui basic red tiny button" data-tooltip-content="{{ctx.Locale.Tr "remove"}}">{{svg "octicon-trash" 14}}</button>
@@ -249,7 +243,6 @@
 									<td colspan="4">
 										<form class="ui form" method="post">
 											{{template "base/disable_form_autofill"}}
-											{{.CsrfTokenHtml}}
 											<input type="hidden" name="action" value="push-mirror-add">
 											<div class="field {{if .Err_PushMirrorAddress}}error{{end}}">
 												<label for="push_mirror_address">{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.remote_url"}}</label>
@@ -299,7 +292,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="advanced">
 
 				{{$isCodeEnabled := .Repository.UnitEnabled ctx ctx.Consts.RepoUnitTypeCode}}
@@ -647,7 +639,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="signing">
 				<div class="field">
 					<label>{{ctx.Locale.Tr "repo.settings.trust_model"}}</label><br>
@@ -694,7 +685,6 @@
 		</h4>
 		<div class="ui attached segment">
 			<form class="ui form" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="admin">
 				<div class="field">
 					<div class="ui checkbox">
@@ -710,7 +700,6 @@
 
 			<div class="divider"></div>
 			<form class="ui form" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="admin_index">
 				{{if .IsRepoIndexerEnabled}}
 					<h4 class="ui header">{{ctx.Locale.Tr "repo.settings.admin_code_indexer"}}</h4>
@@ -815,7 +804,6 @@
 					<div class="flex-item-trailing">
 						{{if .RepoTransfer}}
 							<form class="ui form" action="{{.Link}}" method="post">
-								{{.CsrfTokenHtml}}
 								<input type="hidden" name="action" value="cancel_transfer">
 								<button class="ui red button">{{ctx.Locale.Tr "repo.settings.transfer_abort"}}</button>
 							</form>
@@ -883,7 +871,6 @@
 					{{ctx.Locale.Tr "repo.settings.convert_notices_1"}}
 				</div>
 				<form class="ui form" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<input type="hidden" name="action" value="convert">
 					<div class="field">
 						<label>
@@ -914,7 +901,6 @@
 					{{ctx.Locale.Tr "repo.settings.convert_fork_notices_1"}}
 				</div>
 				<form class="ui form" action="{{.Link}}" method="post">
-					{{.CsrfTokenHtml}}
 					<input type="hidden" name="action" value="convert_fork">
 					<div class="field">
 						<label>
@@ -947,7 +933,6 @@
 				{{ctx.Locale.Tr "repo.settings.transfer_notices_4"}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="transfer">
 				<div class="field">
 					<label>
@@ -985,7 +970,6 @@
 				{{end}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="delete">
 				<div class="field">
 					<label>
@@ -1026,7 +1010,6 @@
 					{{end}}
 			</div>
 			<form action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="visibility">
 				<input type="hidden" name="repo_id" value="{{.Repository.ID}}">
 				{{template "base/modal_actions_confirm" .}}
@@ -1045,7 +1028,6 @@
 				{{ctx.Locale.Tr "repo.settings.wiki_delete_notices_1" .Repository.Name}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="delete-wiki">
 				<div class="field">
 					<label>
@@ -1086,7 +1068,6 @@
 				</p>
 			</div>
 			<form action="{{.Link}}" method="post">
-				{{.CsrfTokenHtml}}
 				<input type="hidden" name="action" value="{{if .Repository.IsArchived}}unarchive{{else}}archive{{end}}">
 				<input type="hidden" name="repo_id" value="{{.Repository.ID}}">
 				{{template "base/modal_actions_confirm" .}}

templates/repo/settings/protected_branch.tmpl

@@ -27,7 +27,6 @@
 					<p class="help tw-ml-0">{{ctx.Locale.Tr "repo.settings.protect_unprotected_file_patterns_desc" "https://pkg.go.dev/github.com/gobwas/glob#Compile" "github.com/gobwas/glob"}}</p>
 				</div>
 
-				{{.CsrfTokenHtml}}
 				<h5 class="ui dividing header">{{ctx.Locale.Tr "repo.settings.event_push"}}</h5>
 				<div class="field">
 					<div class="ui radio checkbox">

templates/repo/settings/public_access.tmpl

@@ -12,7 +12,6 @@
 		{{$paEveryoneRead := "everyone-read"}}
 		{{$paEveryoneWrite := "everyone-write"}}
 		<form class="ui form" method="post">
-			{{.CsrfTokenHtml}}
 			<table class="ui table unstackable tw-my-2">
 				<thead>
 					<tr>

templates/repo/settings/push_mirror_sync_modal.tmpl

@@ -3,7 +3,6 @@
 		{{ctx.Locale.Tr "repo.settings.mirror_settings.push_mirror.edit_sync_time"}}
 	</div>
 	<form class="content ui form ignore-dirty" method="post">
-		{{.CsrfTokenHtml}}
 		<input type="hidden" name="action" value="push-mirror-update">
 		<input type="hidden" name="push_mirror_id" id="push-mirror-edit-id">
 		<div class="field">

templates/repo/settings/tags.tmpl

@@ -14,7 +14,6 @@
 					<div class="sixteen wide column">
 						<div class="ui segment">
 							<form class="ui form" action="{{.Link}}" method="post">
-								{{.CsrfTokenHtml}}
 								<div class="field">
 									<label>{{ctx.Locale.Tr "repo.settings.tags.protection.pattern"}}</label>
 									<div id="search-tag-box" class="ui search">
@@ -107,7 +106,6 @@
 										<td class="tw-text-right">
 											<a class="ui tiny primary button" href="{{$.RepoLink}}/settings/tags/{{.ID}}">{{ctx.Locale.Tr "edit"}}</a>
 											<form class="tw-inline-block" action="{{$.RepoLink}}/settings/tags/delete" method="post">
-												{{$.CsrfTokenHtml}}
 												<input type="hidden" name="id" value="{{.ID}}">
 												<button class="ui tiny red button">{{ctx.Locale.Tr "remove"}}</button>
 											</form>

templates/repo/settings/webhook/dingtalk.tmpl

@@ -1,7 +1,6 @@
 {{if eq .HookType "dingtalk"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://dingtalk.com" (ctx.Locale.Tr "repo.settings.web_hook_name_dingtalk")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/dingtalk/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>

templates/repo/settings/webhook/discord.tmpl

@@ -1,7 +1,6 @@
 {{if eq .HookType "discord"}}
 	<p>{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://discord.com" (ctx.Locale.Tr "repo.settings.web_hook_name_discord")}}</p>
 	<form class="ui form" action="{{.BaseLink}}/discord/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>

templates/repo/settings/webhook/feishu.tmpl

@@ -4,7 +4,6 @@
 		{{ctx.Locale.Tr "repo.settings.add_web_hook_desc" "https://larksuite.com" (ctx.Locale.Tr "repo.settings.web_hook_name_larksuite")}}
 	</p>
 	<form class="ui form" action="{{.BaseLink}}/feishu/{{or .Webhook.ID "new"}}" method="post">
-		{{.CsrfTokenHtml}}
 		<div class="required field {{if .Err_PayloadURL}}error{{end}}">
 			<label for="payload_url">{{ctx.Locale.Tr "repo.settings.payload_url"}}</label>
 			<input id="payload_url" name="payload_url" type="url" value="{{.Webhook.URL}}" autofocus required>