From 1f624bc5e2fc720b7f570b4b217860747ef5dc65 Mon Sep 17 00:00:00 2001 From: maTh <1645099+math-GH@users.noreply.github.com> Date: Tue, 1 Apr 2025 12:23:56 +0200 Subject: Referrer-Policy: same-origin (#6303) * Referrer-Policy: same-origin * same-origin for our own images --------- Co-authored-by: Alexandre Alapetite --- app/install.php | 1 + lib/lib_rss.php | 1 + p/.htaccess | 1 + p/ext.php | 1 + 4 files changed, 4 insertions(+) diff --git a/app/install.php b/app/install.php index 781924890..c2fd86370 100644 --- a/app/install.php +++ b/app/install.php @@ -5,6 +5,7 @@ if (function_exists('opcache_reset')) { opcache_reset(); } header("Content-Security-Policy: default-src 'self'"); +header('Referrer-Policy: same-origin'); require(LIB_PATH . '/lib_install.php'); diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 99c72cb49..b53838410 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -981,6 +981,7 @@ function errorMessageInfo(string $errorTitle, string $error = ''): string { } header("Content-Security-Policy: default-src 'self'"); + header('Referrer-Policy: same-origin'); return <<
HTTP 500: {$errorTitle}
diff --git a/p/.htaccess b/p/.htaccess index e7376e46e..8459fe604 100644 --- a/p/.htaccess +++ b/p/.htaccess @@ -41,6 +41,7 @@ AddDefaultCharset UTF-8 Header merge Cache-Control "public" Header edit Set-Cookie ^(.*)$ "$1; SameSite=Lax" + Header set Referrer-Policy "same-origin" # Provide the true IP address of the connection (e.g. last proxy), even when using mod_remoteip diff --git a/p/ext.php b/p/ext.php index 0a8c46546..b3007a4fd 100644 --- a/p/ext.php +++ b/p/ext.php @@ -112,6 +112,7 @@ if (!is_valid_path($absolute_filename)) { $content_type = SUPPORTED_TYPES[$file_type]; header("Content-Type: {$content_type}"); header("Content-Disposition: inline; filename='{$file_name}'"); +header('Referrer-Policy: same-origin'); $mtime = @filemtime($absolute_filename); if ($mtime === false) { -- cgit v1.2.3