security: Stricter Referrer-Policy: no-referrer
I don't think we should leak our address (which mostly is behind a WOPI host and end-user has no idea of what host LibreOffice Online is running at) in the Referer header. Lets be more strict here and don't leak our address at all. Change-Id: Ibc30e9b64e2e06e2e8d541c5f089320ecb11412b
This commit is contained in:
parent
e0f7c3fc67
commit
4d6b338bf0
1 changed files with 4 additions and 1 deletions
|
@ -142,6 +142,8 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request, Poco::M
|
|||
|
||||
// Ask UAs to block if they detect any XSS attempt
|
||||
response.add("X-XSS-Protection", "1; mode=block");
|
||||
// No referrer-policy
|
||||
response.add("Referrer-Policy", "no-referrer");
|
||||
}
|
||||
|
||||
const auto path = Poco::Path(LOOLWSD::FileServerRoot, getRequestPathname(request));
|
||||
|
@ -345,7 +347,8 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
|
|||
<< "Content-Length: " << preprocess.size() << "\r\n"
|
||||
<< "Content-Type: " << mimeType << "\r\n"
|
||||
<< "X-Content-Type-Options: nosniff\r\n"
|
||||
<< "X-XSS-Protection: 1; mode=block\r\n";
|
||||
<< "X-XSS-Protection: 1; mode=block\r\n"
|
||||
<< "Referrer-Policy: no-referrer\r\n";
|
||||
|
||||
if (!wopiDomain.empty())
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue