New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecation of "referral" directive #13838

Closed
wants to merge 1 commit into
base: MAINT_4_4_15
from

Conversation

Projects
None yet
2 participants
@bofh16

bofh16 commented Nov 27, 2017

The "referral" directive in the "Content-Security-Policy" header has been deprecated in favor of a separate "Referrer-Policy" one. Using the legacy setting makes FF/Chrome to display an error in the console.

FF57.0
selection_039

Chromium 62.0.3202.94
selection_040

Deprecation of "referral" directive
The "referral" directive in the "Content-Security-Header" has been deprecated in favor of a separate header "Referrer-Policy".
Signed-Off-By: Georgi Sinapov <bofh@bofh.bg>
@nijel

This comment has been minimized.

Show comment
Hide comment
@nijel

nijel Nov 28, 2017

Member

The MAINT_4_4_15 branch is no longer maintained, so it makes no sense to merge changes there.

The supported versions already include the Referrer-Policy header:

header('Referrer-Policy: no-referrer');

And the referer policy is only included in X-Content-Security-Policy, which should be parsed by browser not compliant with current specification:

header(
"X-Content-Security-Policy: default-src 'self' "
. $captcha_url
. $GLOBALS['cfg']['CSPAllow'] . ';'
. "options inline-script eval-script;"
. "referrer no-referrer;"
. "img-src 'self' data: "
. $GLOBALS['cfg']['CSPAllow']
. $map_tile_urls
. $captcha_url
. ";"
. "object-src 'none';"
);

The compliant browsers should use Content-Security-Policy header:

header(
"Content-Security-Policy: default-src 'self' "
. $captcha_url
. $GLOBALS['cfg']['CSPAllow'] . ';'
. "script-src 'self' 'unsafe-inline' 'unsafe-eval' "
. $captcha_url
. $GLOBALS['cfg']['CSPAllow'] . ';'
. "style-src 'self' 'unsafe-inline' "
. $captcha_url
. $GLOBALS['cfg']['CSPAllow']
. ";"
. "img-src 'self' data: "
. $GLOBALS['cfg']['CSPAllow']
. $map_tile_urls
. $captcha_url
. ";"
. "object-src 'none';"
);

Member

nijel commented Nov 28, 2017

The MAINT_4_4_15 branch is no longer maintained, so it makes no sense to merge changes there.

The supported versions already include the Referrer-Policy header:

header('Referrer-Policy: no-referrer');

And the referer policy is only included in X-Content-Security-Policy, which should be parsed by browser not compliant with current specification:

header(
"X-Content-Security-Policy: default-src 'self' "
. $captcha_url
. $GLOBALS['cfg']['CSPAllow'] . ';'
. "options inline-script eval-script;"
. "referrer no-referrer;"
. "img-src 'self' data: "
. $GLOBALS['cfg']['CSPAllow']
. $map_tile_urls
. $captcha_url
. ";"
. "object-src 'none';"
);

The compliant browsers should use Content-Security-Policy header:

header(
"Content-Security-Policy: default-src 'self' "
. $captcha_url
. $GLOBALS['cfg']['CSPAllow'] . ';'
. "script-src 'self' 'unsafe-inline' 'unsafe-eval' "
. $captcha_url
. $GLOBALS['cfg']['CSPAllow'] . ';'
. "style-src 'self' 'unsafe-inline' "
. $captcha_url
. $GLOBALS['cfg']['CSPAllow']
. ";"
. "img-src 'self' data: "
. $GLOBALS['cfg']['CSPAllow']
. $map_tile_urls
. $captcha_url
. ";"
. "object-src 'none';"
);

@nijel nijel closed this Nov 28, 2017

@nijel nijel self-assigned this Nov 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment