Bug 1370855 - Restrict Referer to same-origin #855

da2x · 2018-10-23T01:15:15Z

No description provided.

floatingatoll · 2018-10-23T01:25:43Z

Bugzilla/CGI.pm

@@ -561,6 +561,10 @@ sub header {
    # the MIME type away from the declared Content-Type.
    $headers{'-x_content_type_options'} = 'nosniff';

+    # Add Referrer-Policy (sic) header to prevent browsers sending
+    # Referer (sic) headers to external websites.
+    $headers{'-referrer_policy'} = 'same-origin';


Please consider adding a backup referrer policy, for browsers that don't support 'same-origin'; for example, the below approach probably works to block older browsers from transmitting any referrer at all unless they support the new same-origin policy:

Referrer-Policy: same-origin, no-referrer, none

This would cause more issues than it solves. It would set the document policty to any one of the three values at random (as per the standard algorithm that doesn’t specify a sorting order).

I did a quick check, and not a single website in the HTTP Archive has the Referrer-Policy value of same-origin, no-referrer, none. I ran out of credits there just now so I can’t check if any value at all contains a comma.

The algorithm for Referrer Policy does specify an order:
https://www.w3.org/TR/referrer-policy/#unknown-policy-values

So Referrer-Policy: no-referrer, strict-origin-when-cross-origin is perfectly valid, as is the policy above.

dylanwh · 2018-10-23T01:36:34Z

Because of the move to Mojolicious, we have a much better place to apply headers that will work for both the old parts of the code (CGI) and all future code.

In addition, this could be accomplished with a plugin: https://metacpan.org/pod/Mojolicious::Plugin::SecurityHeader

To do this, you'd add Mojolicious::Plugin::SecurityHeader to Makefile.PL (near the other lines about Mojolicious stuff) and then in Bugzilla/Quantum.pm add $self->plugin('SecurityHeader' => {...}) as in the docs for Mojolicious::Plugin::SecurityHeader linked above.

dylanwh · 2018-10-23T01:37:59Z

Using that plugin will actually solve this bug and a bunch of other bugs, some of which have not been filed yet.

floatingatoll · 2018-10-23T02:05:47Z

Works for me! (And thank you for considering it.)

dylanwh

This is good enough for now. we'll need to add this using either SecurityHeaders plugin, or manually with a before-request hook, eventually.

dylanwh · 2018-10-25T00:56:04Z

@da2x Thanks for contributing this! It should be live sometime next week, Tuesday or Wednesday at the latest.

Bug 1370855 - Restrict Referer to same-origin

bf6b5a1

kyoshino added the small Small changes that can be quickly merged label Oct 23, 2018

floatingatoll reviewed Oct 23, 2018

View reviewed changes

dylanwh approved these changes Oct 25, 2018

View reviewed changes

dylanwh merged commit ac92b20 into mozilla-bteam:master Oct 25, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug 1370855 - Restrict Referer to same-origin #855

Bug 1370855 - Restrict Referer to same-origin #855

da2x commented Oct 23, 2018

floatingatoll Oct 23, 2018 •

edited

da2x Oct 23, 2018

april Dec 4, 2018

dylanwh commented Oct 23, 2018

dylanwh commented Oct 23, 2018

floatingatoll commented Oct 23, 2018 •

edited

dylanwh left a comment

dylanwh commented Oct 25, 2018

Bug 1370855 - Restrict Referer to same-origin #855

Bug 1370855 - Restrict Referer to same-origin #855

Conversation

da2x commented Oct 23, 2018

floatingatoll Oct 23, 2018 • edited

Choose a reason for hiding this comment

da2x Oct 23, 2018

Choose a reason for hiding this comment

april Dec 4, 2018

Choose a reason for hiding this comment

dylanwh commented Oct 23, 2018

dylanwh commented Oct 23, 2018

floatingatoll commented Oct 23, 2018 • edited

dylanwh left a comment

Choose a reason for hiding this comment

dylanwh commented Oct 25, 2018

floatingatoll Oct 23, 2018 •

edited

floatingatoll commented Oct 23, 2018 •

edited