Referrer-Policy: same-origin (#6303)

* Referrer-Policy: same-origin

* same-origin for our own images

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

4 files changed, 4 insertions, 0 deletions

diff --git a/app/install.php b/app/install.php
index 781924890..c2fd86370 100644
--- a/app/install.php
+++ b/app/install.php
@@ -5,6 +5,7 @@ if (function_exists('opcache_reset')) {
 	opcache_reset();
 }
 header("Content-Security-Policy: default-src 'self'");
+header('Referrer-Policy: same-origin');
 
 require(LIB_PATH . '/lib_install.php');
 
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 99c72cb49..b53838410 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -981,6 +981,7 @@ function errorMessageInfo(string $errorTitle, string $error = ''): string {
 	}
 
 	header("Content-Security-Policy: default-src 'self'");
+	header('Referrer-Policy: same-origin');
 
 	return <<<MSG
 	<!DOCTYPE html><html><header><title>HTTP 500: {$errorTitle}</title></header><body>
diff --git a/p/.htaccess b/p/.htaccess
index e7376e46e..8459fe604 100644
--- a/p/.htaccess
+++ b/p/.htaccess
@@ -41,6 +41,7 @@ AddDefaultCharset	UTF-8
 		Header	merge Cache-Control "public"
 	</FilesMatch>
 	Header edit Set-Cookie ^(.*)$ "$1; SameSite=Lax"
+	Header set Referrer-Policy "same-origin"
 </IfModule>
 
 # Provide the true IP address of the connection (e.g. last proxy), even when using mod_remoteip
diff --git a/p/ext.php b/p/ext.php
index 0a8c46546..b3007a4fd 100644
--- a/p/ext.php
+++ b/p/ext.php
@@ -112,6 +112,7 @@ if (!is_valid_path($absolute_filename)) {
 $content_type = SUPPORTED_TYPES[$file_type];
 header("Content-Type: {$content_type}");
 header("Content-Disposition: inline; filename='{$file_name}'");
+header('Referrer-Policy: same-origin');
 
 $mtime = @filemtime($absolute_filename);
 if ($mtime === false) {