Add option to control CSRF protection

Some users are using WebUI with simple port-forwarding from their router,
providing an option to control the protection will save them from setting up an
non-trival web proxy.
Closes #7274.

src/webui/api/appcontroller.cpp

@@ -207,6 +207,7 @@ void AppController::preferencesAction()
     data["bypass_auth_subnet_whitelist"] = authSubnetWhitelistStringList.join("\n");
     // Security
     data["web_ui_clickjacking_protection_enabled"] = pref->isWebUiClickjackingProtectionEnabled();
+    data["web_ui_csrf_protection_enabled"] = pref->isWebUiCSRFProtectionEnabled();
     // Update my dynamic domain name
     data["dyndns_enabled"] = pref->isDynDNSEnabled();
     data["dyndns_service"] = pref->getDynDNSService();
@@ -484,6 +485,8 @@ void AppController::setPreferencesAction()
     // Security
     if (m.contains("web_ui_clickjacking_protection_enabled"))
         pref->setWebUiClickjackingProtectionEnabled(m["web_ui_clickjacking_protection_enabled"].toBool());
+    if (m.contains("web_ui_csrf_protection_enabled"))
+        pref->setWebUiCSRFProtectionEnabled(m["web_ui_csrf_protection_enabled"].toBool());
     // Update my dynamic domain name
     if (m.contains("dyndns_enabled"))
         pref->setDynDNSEnabled(m["dyndns_enabled"].toBool());

src/webui/webapplication.cpp

@@ -430,6 +430,7 @@ void WebApplication::configure()
     }
 
     m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
+    m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
 }
 
 void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@@ -514,9 +515,11 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
     clear();
 
     try {
-        // block cross-site requests
-        if (isCrossSiteRequest(m_request) || !validateHostHeader(m_domainList))
+        // block suspicious requests
+        if ((m_isCSRFProtectionEnabled && isCrossSiteRequest(m_request))
+            || !validateHostHeader(m_domainList)) {
             throw UnauthorizedHTTPError();
+        }
 
         sessionInitialize();
         doProcessRequest();

src/webui/webapplication.h

@@ -145,4 +145,5 @@ private:
 
     // security related
     bool m_isClickjackingProtectionEnabled;
+    bool m_isCSRFProtectionEnabled;
 };

src/webui/www/private/preferences_content.html

@@ -463,6 +463,10 @@
             <input type="checkbox" id="clickjacking_protection_checkbox" />
             <label for="clickjacking_protection_checkbox">QBT_TR(Enable clickjacking protection)QBT_TR[CONTEXT=OptionsDialog]</label>
         </div>
+        <div class="formRow">
+            <input type="checkbox" id="csrf_protection_checkbox" />
+            <label for="csrf_protection_checkbox">QBT_TR(Enable Cross-Site Request Forgery (CSRF) protection)QBT_TR[CONTEXT=OptionsDialog]</label>
+        </div>
     </fieldset>
 
     <fieldset class="settings">
@@ -1029,6 +1033,7 @@
 
                     // Security
                     $('clickjacking_protection_checkbox').setProperty('checked', pref.web_ui_clickjacking_protection_enabled);
+                    $('csrf_protection_checkbox').setProperty('checked', pref.web_ui_csrf_protection_enabled);
 
                     // Update my dynamic domain name
                     $('use_dyndns_checkbox').setProperty('checked', pref.dyndns_enabled);
@@ -1322,6 +1327,7 @@
         settings.set('bypass_auth_subnet_whitelist', $('bypass_auth_subnet_whitelist_textarea').getProperty('value'));
 
         settings.set('web_ui_clickjacking_protection_enabled', $('clickjacking_protection_checkbox').getProperty('checked'));
+        settings.set('web_ui_csrf_protection_enabled', $('csrf_protection_checkbox').getProperty('checked'));
 
         // Update my dynamic domain name
         settings.set('dyndns_enabled', $('use_dyndns_checkbox').getProperty('checked'));