From 79974b456f664cc8e0ff22b34dbc464ab5744a87 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 16 Aug 2022 15:49:29 +0200 Subject: [PATCH] NEW Add the referrer-policy to "same-origin" by default. --- htdocs/core/website.inc.php | 10 ++++++++++ htdocs/main.inc.php | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/htdocs/core/website.inc.php b/htdocs/core/website.inc.php index 15e45bcfbcc..38698d32940 100644 --- a/htdocs/core/website.inc.php +++ b/htdocs/core/website.inc.php @@ -126,6 +126,16 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) { header("Content-Security-Policy: ".$contentsecuritypolicy); } } + + // Referrer-Policy + if (!defined('WEBSITE_MAIN_SECURITY_FORCERP')) { + // The constant WEBSITE_MAIN_SECURITY_FORCECSP should never be defined by page, but the variable used just after may be + + // For public web sites, we use the same default value than "strict-origin-when-cross-origin" + $referrerpolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', "strict-origin-when-cross-origin"); + + header("Referrer-Policy: ".$referrerpolicy); + } } // A lang was forced, so we change weblangs init diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index e11e38863f5..675d7273c51 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -1461,6 +1461,16 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0) } else { header("Content-Security-Policy: ".constant('MAIN_SECURITY_FORCECSP')); } + + // Referrer-Policy + // Say if we must provide the referrer when we jump onto another web page. + // Default browser are 'strict-origin-when-cross-origin', we want more so we use 'same-origin' so we don't send any referrer when going into another web site + if (!defined('MAIN_SECURITY_FORCERP')) { + $referrerpolicy = getDolGlobalString('MAIN_SECURITY_FORCERP', "same-origin"); + + header("Referrer-Policy: ".$referrerpolicy); + } + if ($forcenocache) { header("Cache-Control: no-cache, no-store, must-revalidate, max-age=0"); }