fix CSP referrer policy

The policy of "referrer none" was incorrect and was nonfunctional. With
this change, the CSP referrer policy is set to origin, which
will causes only the origin to be sent for requests made from the main
site.

A fix was also needed for referrer checks in two places.
This commit is contained in:
mutantmonkey 2015-10-11 23:31:57 -07:00
parent 4fee922543
commit cd83f9f0eb
3 changed files with 8 additions and 5 deletions

View File

@ -12,11 +12,13 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
} }
} }
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, prefix) { p := strings.TrimSuffix(prefix, "/")
if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
return false return false
} }
if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, strings.TrimSuffix(prefix, "/")) { if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
return false return false
} }

View File

@ -26,7 +26,8 @@ func fileServeHandler(c web.C, w http.ResponseWriter, r *http.Request) {
if !Config.allowHotlink { if !Config.allowHotlink {
referer := r.Header.Get("Referer") referer := r.Header.Get("Referer")
if referer != "" && !strings.HasPrefix(referer, Config.siteURL) { prefix := strings.TrimSuffix(Config.siteURL, "/")
if referer != "" && !strings.HasPrefix(referer, prefix) {
w.WriteHeader(403) w.WriteHeader(403)
return return
} }

View File

@ -184,10 +184,10 @@ func main() {
flag.StringVar(&Config.remoteAuthFile, "remoteauthfile", "", flag.StringVar(&Config.remoteAuthFile, "remoteauthfile", "",
"path to a file containing newline-separated scrypted auth keys for remote uploads") "path to a file containing newline-separated scrypted auth keys for remote uploads")
flag.StringVar(&Config.contentSecurityPolicy, "contentsecuritypolicy", flag.StringVar(&Config.contentSecurityPolicy, "contentsecuritypolicy",
"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer none;", "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer origin;",
"value of default Content-Security-Policy header") "value of default Content-Security-Policy header")
flag.StringVar(&Config.fileContentSecurityPolicy, "filecontentsecuritypolicy", flag.StringVar(&Config.fileContentSecurityPolicy, "filecontentsecuritypolicy",
"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer none;", "default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer origin;",
"value of Content-Security-Policy header for file access") "value of Content-Security-Policy header for file access")
flag.StringVar(&Config.xFrameOptions, "xframeoptions", "SAMEORIGIN", flag.StringVar(&Config.xFrameOptions, "xframeoptions", "SAMEORIGIN",
"value of X-Frame-Options header") "value of X-Frame-Options header")