Bug 1370855 - Restrict Referer to same-origin

author Daniel Aleksandersen <code@daniel.priv.no>

Thu, 25 Oct 2018 00:56:11 +0000 (02:56 +0200)

committer Dylan William Hardison <dylan@hardison.net>

Thu, 25 Oct 2018 00:56:11 +0000 (20:56 -0400)
author Daniel Aleksandersen <code@daniel.priv.no>
Thu, 25 Oct 2018 00:56:11 +0000 (02:56 +0200)
committer Dylan William Hardison <dylan@hardison.net>
Thu, 25 Oct 2018 00:56:11 +0000 (20:56 -0400)
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm

index 4be384b6771bab53db968cf9895ec7dcee8473cc..af96ad85dcd753c6dff50cfd1dce17d071144baf 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -561,6 +561,10 @@ sub header {
      # the MIME type away from the declared Content-Type.
      $headers{'-x_content_type_options'} = 'nosniff';
  
+    # Add Referrer-Policy (sic) header to prevent browsers sending
+    # Referer (sic) headers to external websites.
+    $headers{'-referrer_policy'} = 'same-origin';
+
      Bugzilla::Hook::process('cgi_headers',
          { cgi => $self, headers => \%headers }
      );
author	Daniel Aleksandersen <code@daniel.priv.no>
	Thu, 25 Oct 2018 00:56:11 +0000 (02:56 +0200)
committer	Dylan William Hardison <dylan@hardison.net>
	Thu, 25 Oct 2018 00:56:11 +0000 (20:56 -0400)