From 11375a4f59e3f14b440787d226c10b80ce7b3ea7 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 27 Jun 2019 20:31:10 +0200 Subject: [PATCH] moved referrer policy from CSP & meta to proper HTTP header to avoid browser console error message about unknown CSP header and to ensure it always applies before HTML is parsed, fixes #196 --- cfg/conf.sample.php | 2 +- lib/Configuration.php | 2 +- lib/Controller.php | 1 + tpl/bootstrap.php | 1 - tpl/page.php | 1 - 5 files changed, 3 insertions(+), 4 deletions(-) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index 2647b507..1c1d8d95 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -70,7 +70,7 @@ languageselection = false ; Check the documentation at https://content-security-policy.com/ ; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions. ; By default this disallows to load images from third-party servers, e.g. when they are embedded in pastes. If you wish to allow that, you can adjust the policy here. See https://github.com/PrivateBin/PrivateBin/wiki/FAQ#why-does-not-it-load-embedded-images for details. -; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; Referrer-Policy: 'no-referrer'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals" +; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals" ; stay compatible with PrivateBin Alpha 0.19, less secure ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of diff --git a/lib/Configuration.php b/lib/Configuration.php index f49656d2..53808ad7 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -53,7 +53,7 @@ class Configuration 'urlshortener' => '', 'qrcode' => true, 'icon' => 'identicon', - 'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\' \'unsafe-eval\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; Referrer-Policy: \'no-referrer\'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals', + 'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\' \'unsafe-eval\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals', 'zerobincompatibility' => false, 'httpwarning' => true, 'compression' => 'zlib', diff --git a/lib/Controller.php b/lib/Controller.php index 4b052492..2e0588b7 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -343,6 +343,7 @@ class Controller header('Last-Modified: ' . $time); header('Vary: Accept'); header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader')); + header('Referrer-Policy: no-referrer'); header('X-Xss-Protection: 1; mode=block'); header('X-Frame-Options: DENY'); header('X-Content-Type-Options: nosniff'); diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index b60db3ab..545fdfb9 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -10,7 +10,6 @@ $isPage = substr($template, -5) === '-page'; - <?php echo I18n::_($NAME); ?> - <?php echo I18n::_($NAME); ?>