wsd/FileServer.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 4d6b338bf0d2e77ab2a52db1dd19441a26375a72
Author: Pranav Kant <pran...@collabora.co.uk>
Date: Mon Apr 10 18:27:07 2017 +0530
security: Stricter Referrer-Policy: no-referrer
I don't think we should leak our address
(which mostly is behind a WOPI host and end-user
has no idea of what host LibreOffice Online is running at) in the
Referer header. Lets be more strict here and don't leak our address
at all.
Change-Id: Ibc30e9b64e2e06e2e8d541c5f089320ecb11412b
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index b8448ddb..8968133b 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -142,6 +142,8 @@ void FileServerRequestHandler::handleRequest(const
HTTPRequest& request, Poco::M
// Ask UAs to block if they detect any XSS attempt
response.add("X-XSS-Protection", "1; mode=block");
+ // No referrer-policy
+ response.add("Referrer-Policy", "no-referrer");
}
const auto path = Poco::Path(LOOLWSD::FileServerRoot,
getRequestPathname(request));
@@ -345,7 +347,8 @@ void FileServerRequestHandler::preprocessFile(const
HTTPRequest& request, Poco::
<< "Content-Length: " << preprocess.size() << "\r\n"
<< "Content-Type: " << mimeType << "\r\n"
<< "X-Content-Type-Options: nosniff\r\n"
- << "X-XSS-Protection: 1; mode=block\r\n";
+ << "X-XSS-Protection: 1; mode=block\r\n"
+ << "Referrer-Policy: no-referrer\r\n";
if (!wopiDomain.empty())
{
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
