fix CSP referrer policy

The policy of "referrer none" was incorrect and was nonfunctional. With this change, the CSP referrer policy is set to origin, which will causes only the origin to be sent for requests made from the main site. A fix was also needed for referrer checks in two places.
2015-10-11 23:31:57 -07:00 · 2015-10-11 23:31:57 -07:00 · cd83f9f0eb
parent 4fee922543
commit cd83f9f0eb
3 changed files with 8 additions and 5 deletions
--- a/csrf.go
+++ b/csrf.go
@ -12,11 +12,13 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
 		}
 	}

-	if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, prefix) {
+	p := strings.TrimSuffix(prefix, "/")
+
+	if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
 		return false
 	}

-	if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, strings.TrimSuffix(prefix, "/")) {
+	if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
 		return false
 	}

--- a/fileserve.go
+++ b/fileserve.go
@ -26,7 +26,8 @@ func fileServeHandler(c web.C, w http.ResponseWriter, r *http.Request) {

 	if !Config.allowHotlink {
 		referer := r.Header.Get("Referer")
-		if referer != "" && !strings.HasPrefix(referer, Config.siteURL) {
+		prefix := strings.TrimSuffix(Config.siteURL, "/")
+		if referer != "" && !strings.HasPrefix(referer, prefix) {
 			w.WriteHeader(403)
 			return
 		}
--- a/server.go
+++ b/server.go
@ -184,10 +184,10 @@ func main() {
 	flag.StringVar(&Config.remoteAuthFile, "remoteauthfile", "",
 		"path to a file containing newline-separated scrypted auth keys for remote uploads")
 	flag.StringVar(&Config.contentSecurityPolicy, "contentsecuritypolicy",
-		"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer none;",
+		"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer origin;",
 		"value of default Content-Security-Policy header")
 	flag.StringVar(&Config.fileContentSecurityPolicy, "filecontentsecuritypolicy",
-		"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer none;",
+		"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer origin;",
 		"value of Content-Security-Policy header for file access")
 	flag.StringVar(&Config.xFrameOptions, "xframeoptions", "SAMEORIGIN",
 		"value of X-Frame-Options header")