[1/2] Apache: prevent Referrer leaks via WebUI

Message ID be90ea63-4452-4908-e8e2-04720133705f@ipfire.org
State Staged
Commit 583687a88d263b68b4fdb27e78a7b65120d21088
Headers show
Series
  • [1/2] Apache: prevent Referrer leaks via WebUI
Related show

Commit Message

Peter Müller Nov. 4, 2019, 6:52 p.m. UTC
By default, even modern browsers sent the URL of ther originating
site to another one when accessing hyperlinks. This is an information
leak and may expose internal details (such as FQDN or IP address)
of an IPFire installation to a third party.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 +
 config/httpd/vhosts.d/ipfire-interface.conf     | 1 +
 2 files changed, 2 insertions(+)

Comments

Michael Tremer Nov. 5, 2019, 10:34 a.m. UTC | #1
Hi,

Acked-by: Michael Tremer <michael.tremer@ipfire.org>

> On 4 Nov 2019, at 18:52, peter.mueller@ipfire.org wrote:
> 
> By default, even modern browsers sent the URL of ther originating
> site to another one when accessing hyperlinks. This is an information
> leak and may expose internal details (such as FQDN or IP address)
> of an IPFire installation to a third party.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 +
> config/httpd/vhosts.d/ipfire-interface.conf     | 1 +
> 2 files changed, 2 insertions(+)
> 
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index 2009184bb..dc1151110 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -22,6 +22,7 @@
> 
>     Header always set X-Content-Type-Options nosniff
>     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
> +    Header always set Referrer-Policy strict-origin
> 
>     <Directory /srv/web/ipfire/html>
>         Options ExecCGI
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> index b70994404..d95fa264f 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -8,6 +8,7 @@
> 
>     Header always set X-Content-Type-Options nosniff
>     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
> +    Header always set Referrer-Policy strict-origin
> 
>     <Directory /srv/web/ipfire/html>
>         Options ExecCGI
> -- 
> 2.16.4

Patch

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index 2009184bb..dc1151110 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -22,6 +22,7 @@ 
 
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    Header always set Referrer-Policy strict-origin
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index b70994404..d95fa264f 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -8,6 +8,7 @@ 
 
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    Header always set Referrer-Policy strict-origin
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI