security: Stricter Referrer-Policy: no-referrer

I don't think we should leak our address
(which mostly is behind a WOPI host and end-user
has no idea of what host LibreOffice Online is running at) in the
Referer header. Lets be more strict here and don't leak our address
at all.

Change-Id: Ibc30e9b64e2e06e2e8d541c5f089320ecb11412b
This commit is contained in:
Pranav Kant 2017-04-10 18:27:07 +05:30
parent e0f7c3fc67
commit 4d6b338bf0

View file

@ -142,6 +142,8 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request, Poco::M
// Ask UAs to block if they detect any XSS attempt
response.add("X-XSS-Protection", "1; mode=block");
// No referrer-policy
response.add("Referrer-Policy", "no-referrer");
}
const auto path = Poco::Path(LOOLWSD::FileServerRoot, getRequestPathname(request));
@ -345,7 +347,8 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "Content-Length: " << preprocess.size() << "\r\n"
<< "Content-Type: " << mimeType << "\r\n"
<< "X-Content-Type-Options: nosniff\r\n"
<< "X-XSS-Protection: 1; mode=block\r\n";
<< "X-XSS-Protection: 1; mode=block\r\n"
<< "Referrer-Policy: no-referrer\r\n";
if (!wopiDomain.empty())
{