Referrer-Policy: same-origin (#6303)

* Referrer-Policy: same-origin * same-origin for our own images --------- Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
author: maTh <1645099+math-GH@users.noreply.github.com> 2025-04-01 12:23:56 +0200
committer: GitHub <noreply@github.com> 2025-04-01 12:23:56 +0200
commit: 1f624bc5e2fc720b7f570b4b217860747ef5dc65 (patch)
tree: 894e90cef48fd596f6b87c879bbdefdd0d74e643 /p
parent: 238d5a48e41041a787f90c522c7873ef99ab6f7c (diff)
2 files changed, 2 insertions, 0 deletions
diff --git a/p/.htaccess b/p/.htaccess
index e7376e46e..8459fe604 100644
--- a/p/.htaccess
+++ b/p/.htaccess
@@ -41,6 +41,7 @@ AddDefaultCharset	UTF-8
 		Header	merge Cache-Control "public"
 	</FilesMatch>
 	Header edit Set-Cookie ^(.*)$ "$1; SameSite=Lax"
+	Header set Referrer-Policy "same-origin"
 </IfModule>
 
 # Provide the true IP address of the connection (e.g. last proxy), even when using mod_remoteip
diff --git a/p/ext.php b/p/ext.php
index 0a8c46546..b3007a4fd 100644
--- a/p/ext.php
+++ b/p/ext.php
@@ -112,6 +112,7 @@ if (!is_valid_path($absolute_filename)) {
 $content_type = SUPPORTED_TYPES[$file_type];
 header("Content-Type: {$content_type}");
 header("Content-Disposition: inline; filename='{$file_name}'");
+header('Referrer-Policy: same-origin');
 
 $mtime = @filemtime($absolute_filename);
 if ($mtime === false) {
author	maTh <1645099+math-GH@users.noreply.github.com>	2025-04-01 12:23:56 +0200
committer	GitHub <noreply@github.com>	2025-04-01 12:23:56 +0200
commit	1f624bc5e2fc720b7f570b4b217860747ef5dc65 (patch)
tree	894e90cef48fd596f6b87c879bbdefdd0d74e643 /p
parent	238d5a48e41041a787f90c522c7873ef99ab6f7c (diff)