Mask referrer field when creating OEMBED attachments

[Sing-Li]

There are some security sensitive applications where the REFERRER field of the request issued by our OEMBED outreach can be used to identify the source absolutely (and becomes a security risk).

Allow a redirector (or some sort of proxy) to be specified in order to mask the REFERRER field of the outreach request.

[MartinSchoeler]

@Sing-Li Was it a request from Radically Open Security? Or it was just an idea?

[Sing-Li]

@MartinSchoeler Why does it matter? It is an idea from Radically Open Security, our security consultancy partner.

[engelgabriel]

@Sing-Li, we just wanted to check the priority... If this was a production problem already or a nice-to-have.

[ghost]

@engelgabriel @Sing-Li I think we have a severe security issue here. This is how it looks on the server who hosts the attachement when someone clicks on an attachement.

151.xxx.xxx.xxx - - [04/Oct/2017:08:59:55 +0200] "GET /pics/test-1.jpg HTTP/1.1" 200 27142 "https://rocketchat.domain.de/direct/<actual_username>" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Rocket.Chat+/2.9.0 Chrome/58.0.3029.110 Electron/1.7.6 Safari/537.36"

So as you can see, at least the username and the channel name is leaked.

Maybe the rocketchat server itself could act as proxy?

thanks and cheers

[yahesh]

Hi, we have the same problem. Will this be fixed anytime soon?

[theorenck]

We're decided to go with the "act as a proxy", solution.