Add referrer CSP and <meta> tag

This avoids leaking Referer header in modern browsers. Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · Jun 20, 2016 · 1e5716c · 1e5716c
1 parent be3ecbb
commit 1e5716c
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/libraries/Header.php b/libraries/Header.php
@@ -550,6 +550,7 @@ public function sendHttpHeaders()
             . $captcha_url
             . $GLOBALS['cfg']['CSPAllow']
             . ";"
+            . "referrer no-referrer;"
             . "img-src 'self' data: "
             . $GLOBALS['cfg']['CSPAllow']
             . $map_tile_urls
@@ -561,6 +562,7 @@ public function sendHttpHeaders()
             . $captcha_url
             . $GLOBALS['cfg']['CSPAllow'] . ';'
             . "options inline-script eval-script;"
+            . "referrer no-referrer;"
             . "img-src 'self' data: "
             . $GLOBALS['cfg']['CSPAllow']
             . $map_tile_urls
@@ -575,6 +577,7 @@ public function sendHttpHeaders()
             . $captcha_url
             . $GLOBALS['cfg']['CSPAllow']
             . " 'unsafe-inline' 'unsafe-eval';"
+            . "referrer no-referrer;"
             . "style-src 'self' 'unsafe-inline' "
             . $captcha_url
             . ';'
@@ -636,6 +639,7 @@ private function _getHtmlStart()
     private function _getMetaTags()
     {
         $retval  = '<meta charset="utf-8" />';
+        $retval .= '<meta name="referrer" content="none" />';
         $retval .= '<meta name="robots" content="noindex,nofollow" />';
         $retval .= '<meta http-equiv="X-UA-Compatible" content="IE=Edge">';
         if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {