fix CSP referrer policy
The policy of "referrer none" was incorrect and was nonfunctional. With this change, the CSP referrer policy is set to origin, which will causes only the origin to be sent for requests made from the main site. A fix was also needed for referrer checks in two places.
This commit is contained in:
parent
4fee922543
commit
cd83f9f0eb
6
csrf.go
6
csrf.go
@ -12,11 +12,13 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
|
||||
}
|
||||
}
|
||||
|
||||
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, prefix) {
|
||||
p := strings.TrimSuffix(prefix, "/")
|
||||
|
||||
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
|
||||
return false
|
||||
}
|
||||
|
||||
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, strings.TrimSuffix(prefix, "/")) {
|
||||
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
|
||||
return false
|
||||
}
|
||||
|
||||
|
@ -26,7 +26,8 @@ func fileServeHandler(c web.C, w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
if !Config.allowHotlink {
|
||||
referer := r.Header.Get("Referer")
|
||||
if referer != "" && !strings.HasPrefix(referer, Config.siteURL) {
|
||||
prefix := strings.TrimSuffix(Config.siteURL, "/")
|
||||
if referer != "" && !strings.HasPrefix(referer, prefix) {
|
||||
w.WriteHeader(403)
|
||||
return
|
||||
}
|
||||
|
@ -184,10 +184,10 @@ func main() {
|
||||
flag.StringVar(&Config.remoteAuthFile, "remoteauthfile", "",
|
||||
"path to a file containing newline-separated scrypted auth keys for remote uploads")
|
||||
flag.StringVar(&Config.contentSecurityPolicy, "contentsecuritypolicy",
|
||||
"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer none;",
|
||||
"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer origin;",
|
||||
"value of default Content-Security-Policy header")
|
||||
flag.StringVar(&Config.fileContentSecurityPolicy, "filecontentsecuritypolicy",
|
||||
"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer none;",
|
||||
"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer origin;",
|
||||
"value of Content-Security-Policy header for file access")
|
||||
flag.StringVar(&Config.xFrameOptions, "xframeoptions", "SAMEORIGIN",
|
||||
"value of X-Frame-Options header")
|
||||
|
Loading…
Reference in New Issue
Block a user