From d02b01c733dec1abeb993ed9577d21ba297e7dcf Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Sat, 27 Sep 2025 15:54:49 +0800
Subject: [PATCH] WebUI: don't send HTTP Referer header to other servers

`same-origin`
> Sends the full URL (stripped of parameters) for same-origin requests. Cross-origin requests will contain no referrer header.

This would be helpful for 3rd party WebUI that were forked from the
official one. The official WebUI is not affect by this change since the
request is blocked by CSP.

PR #23294.
---
 src/webui/www/private/views/rss.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/webui/www/private/views/rss.html b/src/webui/www/private/views/rss.html
index 80723924c..f2e790878 100644
--- a/src/webui/www/private/views/rss.html
+++ b/src/webui/www/private/views/rss.html
@@ -503,7 +503,7 @@
                 const iframeElement = document.createElement("iframe");
                 iframeElement.id = "rssDescription";
                 iframeElement.sandbox = "allow-same-origin"; // allowed to get parent css
-                iframeElement.srcdoc = `<html ${rootColor}><head><meta charset="utf-8"><link rel="stylesheet" type="text/css" href="css/style.css?v=${CACHEID}"></head><body>${articleDescription}</body></html>`;
+                iframeElement.srcdoc = `<html ${rootColor}><head><meta charset="utf-8"><meta name="referrer" content="same-origin"><link rel="stylesheet" type="text/css" href="css/style.css?v=${CACHEID}"></head><body>${articleDescription}</body></html>`;
 
                 detailsView.append(iframeElement);
             }