wsd/FileServer.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
New commits: commit 4d6b338bf0d2e77ab2a52db1dd19441a26375a72 Author: Pranav Kant <pran...@collabora.co.uk> Date: Mon Apr 10 18:27:07 2017 +0530 security: Stricter Referrer-Policy: no-referrer I don't think we should leak our address (which mostly is behind a WOPI host and end-user has no idea of what host LibreOffice Online is running at) in the Referer header. Lets be more strict here and don't leak our address at all. Change-Id: Ibc30e9b64e2e06e2e8d541c5f089320ecb11412b diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index b8448ddb..8968133b 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -142,6 +142,8 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request, Poco::M // Ask UAs to block if they detect any XSS attempt response.add("X-XSS-Protection", "1; mode=block"); + // No referrer-policy + response.add("Referrer-Policy", "no-referrer"); } const auto path = Poco::Path(LOOLWSD::FileServerRoot, getRequestPathname(request)); @@ -345,7 +347,8 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco:: << "Content-Length: " << preprocess.size() << "\r\n" << "Content-Type: " << mimeType << "\r\n" << "X-Content-Type-Options: nosniff\r\n" - << "X-XSS-Protection: 1; mode=block\r\n"; + << "X-XSS-Protection: 1; mode=block\r\n" + << "Referrer-Policy: no-referrer\r\n"; if (!wopiDomain.empty()) { _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits