NEW Add the referrer-policy to "same-origin" by default.

2022-08-16 15:49:29 +02:00 · 2022-08-16 15:49:29 +02:00 · 79974b456f
commit 79974b456f
parent f404eddad0
2 changed files with 20 additions and 0 deletions
--- a/htdocs/core/website.inc.php
+++ b/htdocs/core/website.inc.php
@ -126,6 +126,16 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
 			header("Content-Security-Policy: ".$contentsecuritypolicy);
 		}
 	}
+
+	// Referrer-Policy
+	if (!defined('WEBSITE_MAIN_SECURITY_FORCERP')) {
+		// The constant WEBSITE_MAIN_SECURITY_FORCECSP should never be defined by page, but the variable used just after may be
+
+		// For public web sites, we use the same default value than "strict-origin-when-cross-origin"
+		$referrerpolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', "strict-origin-when-cross-origin");
+
+		header("Referrer-Policy: ".$referrerpolicy);
+	}
 }

 // A lang was forced, so we change weblangs init
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@ -1461,6 +1461,16 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
 	} else {
 		header("Content-Security-Policy: ".constant('MAIN_SECURITY_FORCECSP'));
 	}
+
+	// Referrer-Policy
+	// Say if we must provide the referrer when we jump onto another web page.
+	// Default browser are 'strict-origin-when-cross-origin', we want more so we use 'same-origin' so we don't send any referrer when going into another web site
+	if (!defined('MAIN_SECURITY_FORCERP')) {
+		$referrerpolicy = getDolGlobalString('MAIN_SECURITY_FORCERP', "same-origin");
+
+		header("Referrer-Policy: ".$referrerpolicy);
+	}
+
 	if ($forcenocache) {
 		header("Cache-Control: no-cache, no-store, must-revalidate, max-age=0");
 	}