From mboxrd@z Thu Jan  1 00:00:00 1970
From: peter.mueller@ipfire.org
To: development@lists.ipfire.org
Subject: [PATCH 1/2] Apache: prevent Referrer leaks via WebUI
Date: Mon, 04 Nov 2019 18:52:00 +0000
Message-ID: <be90ea63-4452-4908-e8e2-04720133705f@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0841414214551313475=="
List-Id: <development.lists.ipfire.org>

--===============0841414214551313475==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

By default, even modern browsers sent the URL of ther originating
site to another one when accessing hyperlinks. This is an information
leak and may expose internal details (such as FQDN or IP address)
of an IPFire installation to a third party.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
---
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 +
 config/httpd/vhosts.d/ipfire-interface.conf     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/v=
hosts.d/ipfire-interface-ssl.conf
index 2009184bb..dc1151110 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -22,6 +22,7 @@
=20
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-sr=
c 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    Header always set Referrer-Policy strict-origin
=20
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhost=
s.d/ipfire-interface.conf
index b70994404..d95fa264f 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -8,6 +8,7 @@
=20
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-sr=
c 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    Header always set Referrer-Policy strict-origin
=20
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
--=20
2.16.4

--===============0841414214551313475==--