Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)

Added 'common_headers' hook
6 years ago · 186f21c4c1
parent cf7e4f12b2
commit 186f21c4c1
4 changed files with 25 additions and 7 deletions
--- a/.htaccess
+++ b/.htaccess
@ -64,5 +64,6 @@ Header set X-Robots-Tag "noindex, nofollow"
 # CSP - Content Security Policy
 # for better privacy/security ask browsers to not set the Referer
 # more flags for script, stylesheets and images available, read RFC for more information
+# Note: "Referrer-Policy: same-origin" is already set by php code.
 #Header set Content-Security-Policy "referrer no-referrer"
 </IfModule>
--- a/2
+++ b/2
@ -2,9 +2,11 @@ CHANGELOG Roundcube Webmail
 ===========================

 - SMTP GSSAPI support via krb_authentication plugin (#6417)
+- Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)
 - Removed referer_check option (#6440)
 - Update to TinyMCE 4.8.2
 - Plugin API: Added 'raise_error' hook (#6199)
+- Plugin API: Added 'common_headers' hook (#6385)
 - Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)
 - Password: Added 'modoboa' driver (#6361)
 - Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436)
--- a/index.php
+++ b/index.php
@ -44,7 +44,7 @@ $RCMAIL = rcmail::get_instance(0, $GLOBALS['env']);

 // Make the whole PHP output non-cacheable (#1487797)
 $RCMAIL->output->nocacheing_headers();
-$RCMAIL->output->common_headers();
+$RCMAIL->output->common_headers(!empty($_SESSION['user_id']));

 // turn on output buffering
 ob_start();
--- a/program/lib/Roundcube/rcube_output.php
+++ b/program/lib/Roundcube/rcube_output.php
@ -175,25 +175,40 @@ abstract class rcube_output
    }

    /**
-     * Send browser compatibility/security/etc. headers
+     * Send browser compatibility/security/privacy headers
+     *
+     * @param bool $privacy Enable privacy headers
     */
-    public function common_headers()
+    public function common_headers($privacy = true)
    {
        if (headers_sent()) {
            return;
        }

+        $headers = array();
+
        // Unlock IE compatibility mode
        if ($this->browser->ie) {
-            header('X-UA-Compatible: IE=edge');
+            $headers['X-UA-Compatible'] = 'IE=edge';
        }

-        // Request browser to disable DNS prefetching (CVE-2010-0464)
-        header("X-DNS-Prefetch-Control: off");
+        if ($privacy) {
+            // Request browser to disable DNS prefetching (CVE-2010-0464)
+            $headers['X-DNS-Prefetch-Control'] = 'off';
+
+            // Request browser disable Referer (sic) header
+            $headers['Referrer-Policy'] = 'same-origin';
+        }

        // send CSRF and clickjacking protection headers
        if ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')) {
-            header('X-Frame-Options: ' . $xframe);
+            $headers['X-Frame-Options'] = $xframe;
+        }
+
+        $plugin = $this->app->plugins->exec_hook('common_headers', array('headers' => $headers, 'privacy' => $privacy));
+
+        foreach ($plugin['headers'] as $header => $value) {
+            header("$header: $value");
        }
    }