From patchwork Mon Nov  4 18:52:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 2570
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 476MP95P19z43TZ
	for <patchwork@web04.haj.ipfire.org>; Mon,  4 Nov 2019 18:52:45 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 476MP84Yncz3CK;
	Mon,  4 Nov 2019 18:52:44 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 476MP802yDz2ycK;
	Mon,  4 Nov 2019 18:52:44 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 476MP65N74z2y3W
 for <development@lists.ipfire.org>; Mon,  4 Nov 2019 18:52:42 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 476MP56c0zz2Ps
 for <development@lists.ipfire.org>; Mon,  4 Nov 2019 18:52:41 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909ed25519; t=1572893562;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=IzzxAemnNxwQXkwZ6fkGSJwbq/T/68b2qBwbxQr/8C4=;
 b=xKnirolkuMydaG4NLQTKC2oANQQx4FMc9Bkzl7903V7bxTQMoFl7W6IS6CudT6NXtTxBaO
 XUnRLhmmmrON16DQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
 t=1572893562;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=IzzxAemnNxwQXkwZ6fkGSJwbq/T/68b2qBwbxQr/8C4=;
 b=niRKsmMbAwnATDfwFH2f6/+5YcaJ7lAfHIQK2jY4xdMBZWfp3fAAxOgG0EkeRMFwNPXoVQ
 33tAyuLQk1xgnKH5LYxGT6ukw9teOcJtcK0VWnlCfpnHvyId5sM+knybgXyBlWh2wZUwlf
 3oUCtF2zv/2X6ahuoxjrRSJz3YsrbC4aHCmpnRgbjN9fVXS0Q83/Ol8tSf20FUafICBjTV
 SyEc2k2JWGeUis45izPf03yyNKkPecm2G93MaZEjVx42KPylerNpJZivl9LSUHgzAMb3u1
 Mu+p1wkuLCpM1T80H6emzsYPG6Z4liP0HKm6L3toFvsvF62gJYyyHxiJz1DtOg==
To: "IPFire: Development-List" <development@lists.ipfire.org>
From: peter.mueller@ipfire.org
Subject: [PATCH 1/2] Apache: prevent Referrer leaks via WebUI
Message-ID: <be90ea63-4452-4908-e8e2-04720133705f@ipfire.org>
Date: Mon, 04 Nov 2019 18:52:00 +0000
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

By default, even modern browsers sent the URL of ther originating
site to another one when accessing hyperlinks. This is an information
leak and may expose internal details (such as FQDN or IP address)
of an IPFire installation to a third party.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 +
 config/httpd/vhosts.d/ipfire-interface.conf     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index 2009184bb..dc1151110 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -22,6 +22,7 @@
 
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    Header always set Referrer-Policy strict-origin
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index b70994404..d95fa264f 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -8,6 +8,7 @@
 
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    Header always set Referrer-Policy strict-origin
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI