Skip to content

Commit 1e5716c

Browse files
committed
Add referrer CSP and <meta> tag
This avoids leaking Referer header in modern browsers. Signed-off-by: Michal Čihař <michal@cihar.com>
1 parent be3ecbb commit 1e5716c

File tree

1 file changed

+4
-0
lines changed

1 file changed

+4
-0
lines changed

Diff for: libraries/Header.php

+4
Original file line numberDiff line numberDiff line change
@@ -550,6 +550,7 @@ public function sendHttpHeaders()
550550
. $captcha_url
551551
. $GLOBALS['cfg']['CSPAllow']
552552
. ";"
553+
. "referrer no-referrer;"
553554
. "img-src 'self' data: "
554555
. $GLOBALS['cfg']['CSPAllow']
555556
. $map_tile_urls
@@ -561,6 +562,7 @@ public function sendHttpHeaders()
561562
. $captcha_url
562563
. $GLOBALS['cfg']['CSPAllow'] . ';'
563564
. "options inline-script eval-script;"
565+
. "referrer no-referrer;"
564566
. "img-src 'self' data: "
565567
. $GLOBALS['cfg']['CSPAllow']
566568
. $map_tile_urls
@@ -575,6 +577,7 @@ public function sendHttpHeaders()
575577
. $captcha_url
576578
. $GLOBALS['cfg']['CSPAllow']
577579
. " 'unsafe-inline' 'unsafe-eval';"
580+
. "referrer no-referrer;"
578581
. "style-src 'self' 'unsafe-inline' "
579582
. $captcha_url
580583
. ';'
@@ -636,6 +639,7 @@ private function _getHtmlStart()
636639
private function _getMetaTags()
637640
{
638641
$retval = '<meta charset="utf-8" />';
642+
$retval .= '<meta name="referrer" content="none" />';
639643
$retval .= '<meta name="robots" content="noindex,nofollow" />';
640644
$retval .= '<meta http-equiv="X-UA-Compatible" content="IE=Edge">';
641645
if (! $GLOBALS['cfg']['AllowThirdPartyFraming']) {

0 commit comments

Comments
 (0)