[PATCH 1/2] Apache: prevent Referrer leaks via WebUI

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

* [PATCH 1/2] Apache: prevent Referrer leaks via WebUI
@ 2019-11-04 18:52 peter.mueller
  2019-11-04 18:53 ` [PATCH 2/2] Apache: deny framing of WebUI from different origins peter.mueller
  2019-11-05 10:34 ` [PATCH 1/2] Apache: prevent Referrer leaks via WebUI Michael Tremer
  0 siblings, 2 replies; 4+ messages in thread
From: peter.mueller @ 2019-11-04 18:52 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1676 bytes --]

By default, even modern browsers sent the URL of ther originating
site to another one when accessing hyperlinks. This is an information
leak and may expose internal details (such as FQDN or IP address)
of an IPFire installation to a third party.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 +
 config/httpd/vhosts.d/ipfire-interface.conf     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index 2009184bb..dc1151110 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -22,6 +22,7 @@
 
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    Header always set Referrer-Policy strict-origin
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index b70994404..d95fa264f 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -8,6 +8,7 @@
 
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    Header always set Referrer-Policy strict-origin
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
-- 
2.16.4

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 2/2] Apache: deny framing of WebUI from different origins
  2019-11-04 18:52 [PATCH 1/2] Apache: prevent Referrer leaks via WebUI peter.mueller
@ 2019-11-04 18:53 ` peter.mueller
  2019-11-05 10:34   ` Michael Tremer
  2019-11-05 10:34 ` [PATCH 1/2] Apache: prevent Referrer leaks via WebUI Michael Tremer
  1 sibling, 1 reply; 4+ messages in thread
From: peter.mueller @ 2019-11-04 18:53 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1677 bytes --]

There is no legitimate reason to do this. Setting header X-Frame-Options
to "sameorigin" is necessary for displaying some collectd graphs on the
WebUI.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 +
 config/httpd/vhosts.d/ipfire-interface.conf     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index dc1151110..de7b8559d 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -23,6 +23,7 @@
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
     Header always set Referrer-Policy strict-origin
+    Header always set X-Frame-Options sameorigin
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index d95fa264f..2cf57dd29 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -9,6 +9,7 @@
     Header always set X-Content-Type-Options nosniff
     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
     Header always set Referrer-Policy strict-origin
+    Header always set X-Frame-Options sameorigin
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
-- 
2.16.4

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/2] Apache: deny framing of WebUI from different origins
  2019-11-04 18:53 ` [PATCH 2/2] Apache: deny framing of WebUI from different origins peter.mueller
@ 2019-11-05 10:34   ` Michael Tremer
  0 siblings, 0 replies; 4+ messages in thread
From: Michael Tremer @ 2019-11-05 10:34 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1860 bytes --]

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 4 Nov 2019, at 18:53, peter.mueller(a)ipfire.org wrote:
> 
> There is no legitimate reason to do this. Setting header X-Frame-Options
> to "sameorigin" is necessary for displaying some collectd graphs on the
> WebUI.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 +
> config/httpd/vhosts.d/ipfire-interface.conf     | 1 +
> 2 files changed, 2 insertions(+)
> 
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index dc1151110..de7b8559d 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -23,6 +23,7 @@
>     Header always set X-Content-Type-Options nosniff
>     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
>     Header always set Referrer-Policy strict-origin
> +    Header always set X-Frame-Options sameorigin
> 
>     <Directory /srv/web/ipfire/html>
>         Options ExecCGI
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> index d95fa264f..2cf57dd29 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -9,6 +9,7 @@
>     Header always set X-Content-Type-Options nosniff
>     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
>     Header always set Referrer-Policy strict-origin
> +    Header always set X-Frame-Options sameorigin
> 
>     <Directory /srv/web/ipfire/html>
>         Options ExecCGI
> -- 
> 2.16.4


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] Apache: prevent Referrer leaks via WebUI
  2019-11-04 18:52 [PATCH 1/2] Apache: prevent Referrer leaks via WebUI peter.mueller
  2019-11-04 18:53 ` [PATCH 2/2] Apache: deny framing of WebUI from different origins peter.mueller
@ 2019-11-05 10:34 ` Michael Tremer
  1 sibling, 0 replies; 4+ messages in thread
From: Michael Tremer @ 2019-11-05 10:34 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1868 bytes --]

Hi,

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 4 Nov 2019, at 18:52, peter.mueller(a)ipfire.org wrote:
> 
> By default, even modern browsers sent the URL of ther originating
> site to another one when accessing hyperlinks. This is an information
> leak and may expose internal details (such as FQDN or IP address)
> of an IPFire installation to a third party.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/httpd/vhosts.d/ipfire-interface-ssl.conf | 1 +
> config/httpd/vhosts.d/ipfire-interface.conf     | 1 +
> 2 files changed, 2 insertions(+)
> 
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index 2009184bb..dc1151110 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -22,6 +22,7 @@
> 
>     Header always set X-Content-Type-Options nosniff
>     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
> +    Header always set Referrer-Policy strict-origin
> 
>     <Directory /srv/web/ipfire/html>
>         Options ExecCGI
> diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> index b70994404..d95fa264f 100644
> --- a/config/httpd/vhosts.d/ipfire-interface.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> @@ -8,6 +8,7 @@
> 
>     Header always set X-Content-Type-Options nosniff
>     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
> +    Header always set Referrer-Policy strict-origin
> 
>     <Directory /srv/web/ipfire/html>
>         Options ExecCGI
> -- 
> 2.16.4


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-11-05 10:34 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-04 18:52 [PATCH 1/2] Apache: prevent Referrer leaks via WebUI peter.mueller
2019-11-04 18:53 ` [PATCH 2/2] Apache: deny framing of WebUI from different origins peter.mueller
2019-11-05 10:34   ` Michael Tremer
2019-11-05 10:34 ` [PATCH 1/2] Apache: prevent Referrer leaks via WebUI Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox