Add disabling web referer check default blocking HTTP web commands

Add command ``SetOption128 1`` disabling web referer check default blocking HTTP web commands (#12828)

CHANGELOG.md

@@ -9,6 +9,7 @@ All notable changes to this project will be documented in this file.
 - Neopool commands ``NPPHRes``, ``NPCLRes`` and ``NPIonRes`` (#12813)
 - Support for (Yeelight) Mi Desk Pro using binary tasmota32solo1.bin
 - Initial support for influxdb using ``#define USE_INFLUXDB`` and several ``Ifx`` commands
+- Command ``SetOption128 1`` disabling web referer check default blocking HTTP web commands (#12828)
 
 ### Changed
 - NeoPixelBus library from v2.6.3 to v2.6.7

RELEASENOTES.md

@@ -118,6 +118,7 @@ The latter links can be used for OTA upgrades too like ``OtaUrl http://ota.tasmo
 - Support for CAN bus and Freedom Won Battery Management System by Marius Bezuidenhout [#12651](https://github.com/arendst/Tasmota/issues/12651)
 - Optional IP filter to command ``TCPStart`` [#12806](https://github.com/arendst/Tasmota/issues/12806)
 - Inital support for Wi-Fi extender [#12784](https://github.com/arendst/Tasmota/issues/12784)
+- Command ``SetOption128 1`` disabling web referer check default blocking HTTP web commands [#12828](https://github.com/arendst/Tasmota/issues/12828)
 
 ### Changed
 - Move firmware binaries to https://github.com/arendst/Tasmota-firmware/tree/main/release-firmware

tasmota/settings.h

@@ -157,7 +157,7 @@ typedef union {                            // Restricted by MISRA-C Rule 18.4 bu
     uint32_t zigbee_hide_bridge_topic : 1; // bit 11 (v9.3.1.1)  - SetOption125 - (Zigbee) Hide bridge topic from zigbee topic (use with SetOption89) (1)
     uint32_t ds18x20_mean : 1;             // bit 12 (v9.3.1.2)  - SetOption126 - (DS18x20) Enable arithmetic mean over teleperiod for JSON temperature (1)
     uint32_t wifi_no_sleep : 1;            // bit 13 (v9.5.0.2)  - SetOption127 - (Wifi) Keep wifi in no-sleep mode, prevents some occasional unresponsiveness
-    uint32_t spare14 : 1;                  // bit 14
+    uint32_t disable_referer_chk : 1;      // bit 14 (v9.5.0.5)  - SetOption128 - (Web) Allow access without referer check
     uint32_t spare15 : 1;                  // bit 15
     uint32_t spare16 : 1;                  // bit 16
     uint32_t spare17 : 1;                  // bit 17

tasmota/xdrv_01_webserver.ino

@@ -400,6 +400,9 @@ const uint16_t DNS_PORT = 53;
 enum HttpOptions {HTTP_OFF, HTTP_USER, HTTP_ADMIN, HTTP_MANAGER, HTTP_MANAGER_RESET_ONLY};
 enum WifiTestOptions {WIFI_NOT_TESTING, WIFI_TESTING, WIFI_TEST_FINISHED, WIFI_TEST_FINISHED_BAD};
 
+const char * headerKeys[] = {"Referer"};
+const size_t numberOfHeaders = 1;
+
 DNSServer *DnsServer;
 ESP8266WebServer *Webserver;
 
@@ -542,6 +545,9 @@ void StartWebserver(int type, IPAddress ipweb)
   if (!Web.state) {
     if (!Webserver) {
       Webserver = new ESP8266WebServer((HTTP_MANAGER == type || HTTP_MANAGER_RESET_ONLY == type) ? 80 : WEB_PORT);
+
+      Webserver->collectHeaders(headerKeys, numberOfHeaders);
+
       // call `Webserver->on()` on each entry
       for (uint32_t i=0; i<nitems(WebServerDispatch); i++) {
         const WebServerDispatch_t & line = WebServerDispatch[i];
@@ -650,7 +656,19 @@ bool HttpCheckPriviledgedAccess(bool autorequestauth = true)
     Webserver->requestAuthentication();
     return false;
   }
-  return true;
+
+  if (!Settings->flag5.disable_referer_chk && !WifiIsInManagerMode()) {
+    String referer = Webserver->header("Referer");  // http://demo/? or http://192.168.2.153/?
+    referer.toUpperCase();
+    String hostname = NetworkHostname();
+    hostname.toUpperCase();
+    if ((referer.indexOf(hostname) > 0) || (referer.indexOf(NetworkAddress().toString()) > 0)) {
+      return true;
+    }
+    return false;
+  } else {
+    return true;
+  }
 }
 
 #ifdef USE_CORS