[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - wsd/FileServer.cpp
Pranav Kant
pranavk at collabora.co.uk
Mon Apr 10 18:37:09 UTC 2017
wsd/FileServer.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 4b8a6f491e5d7d603de074302d97ecf3d547ae69
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Mon Apr 10 18:27:07 2017 +0530
security: Stricter Referrer-Policy: no-referrer
I don't think we should leak our address
(which mostly is behind a WOPI host and end-user
has no idea of what host LibreOffice Online is running at) in the
Referer header. Lets be more strict here and don't leak our address
at all.
Change-Id: Ibc30e9b64e2e06e2e8d541c5f089320ecb11412b
(cherry picked from commit 4d6b338bf0d2e77ab2a52db1dd19441a26375a72)
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index b8448ddb..8968133b 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -142,6 +142,8 @@ void FileServerRequestHandler::handleRequest(const HTTPRequest& request, Poco::M
// Ask UAs to block if they detect any XSS attempt
response.add("X-XSS-Protection", "1; mode=block");
+ // No referrer-policy
+ response.add("Referrer-Policy", "no-referrer");
}
const auto path = Poco::Path(LOOLWSD::FileServerRoot, getRequestPathname(request));
@@ -345,7 +347,8 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "Content-Length: " << preprocess.size() << "\r\n"
<< "Content-Type: " << mimeType << "\r\n"
<< "X-Content-Type-Options: nosniff\r\n"
- << "X-XSS-Protection: 1; mode=block\r\n";
+ << "X-XSS-Protection: 1; mode=block\r\n"
+ << "Referrer-Policy: no-referrer\r\n";
if (!wopiDomain.empty())
{
More information about the Libreoffice-commits
mailing list