Fatal error due to CRSF security

Description

CRSF stuff didn't take care of all the case (especialy if Fd is used trough 2 reverse proxy)

Distribution Name and Version

fusiondirectory: Installé : 1.3-2jenkinsbuild64 Candidat : 1.3-2jenkinsbuild64 from deb package

FusionDirectory Version

1.3.2

PHP version used

php: Installé : 1:7.0+49 Candidat : 1:7.0+49

Origin of php packages

deb https://integration.fusiondirectory.org/repos/development/debian/fusiondirectory-dev-stretch stretch main

Steps to Reproduce

1. Fd is instaleld beahind 2 proxies ( each off them keep the virtualhost name when request is proxied)
2. When try to edit a record an error occur : Fatal error: Uncaught FusionDirectoryException: CSRF detected: origin and target are not matching (my.server.com!= my.server.com, my.server.com) )

Expected behavior: values could be edited without fatal error

Actual behavior:

Fatal error

Reproduces how often: 100%

Additional Information

some links :

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
• https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers
• https://stackoverflow.com/questions/17411391/whats-the-variable-http-x-forwarded-host-in-the-env-hash-in-middleware

maybe get the first value ?