Commit Graph

7 Commits

Author SHA1 Message Date
andreimarcu 9b724725b3 Blank referrers are allowed 2015-10-14 20:35:43 -04:00
mutantmonkey d138755806 do a proper same-origin check
String prefix matching is hacky and provides insufficient checking if it
does not end with a /.
2015-10-13 19:55:32 -07:00
mutantmonkey a3723d3665 short-circuit on origin header
If the Origin header is present, we can check it and skip the other
checks.
2015-10-12 01:23:06 -07:00
mutantmonkey a7ae455ac1 strict referrer check improvements
* Always check Origin if it is present, regardless of headers sent
* Whitelist X-Requested-With header
2015-10-12 00:28:04 -07:00
mutantmonkey cd83f9f0eb fix CSP referrer policy
The policy of "referrer none" was incorrect and was nonfunctional. With
this change, the CSP referrer policy is set to origin, which
will causes only the origin to be sent for requests made from the main
site.

A fix was also needed for referrer checks in two places.
2015-10-11 23:49:15 -07:00
mutantmonkey 39d874374d trim trailing / for origin checking 2015-10-11 20:06:14 -07:00
mutantmonkey 6ff181facb add strict referrer check for POST uploads
This should protect against cross-site request forgery without the need
for cookies. It continues to allow requests with Linx-Delete-Key,
Linx-Expiry, or Linx-Randomize headers as these will not be set in the
case of cross-site requests.
2015-10-08 20:27:04 -07:00