Make Referrer-Policy: strict-origin-when-cross-origin the default header.
Please change the default Referrer-Policy header to strict-origin-when-cross-origin that also covers the use-case of no-referrer-when-downgrade but works for e.g., comments embedding.
https://securityheaders.com/?q=https%3A%2F%2Fmeta.discourse.org&hide=on&followRedirects=on
… show that “There was a duplicate Referrer-Policy header.”
Referrer-Policy strict-origin-when-cross-originReferrer-Policy no-referrer-when-downgrade
Only one of those should be set. 1 is not referenced in Discourse’s code, but it seems to me the legitimate one to use since it acts as a superset of 2. 2 is referenced in the sample nginx configuration file at
In discourse_docker:
root@ps /var/discourse # grep -i referrer templates/*.yml
templates/web.ssl.template.yml: from: /add_header Referrer-Policy 'no-referrer-when-downgrade';/m
templates/web.ssl.template.yml: add_header Referrer-Policy 'no-referrer-when-downgrade';
change line 264 of config/nginx.sample.conf in discourse
update the web.ssl.template.yml to match the change in discourse_docker.
לייק 1
What are your feelings on this @sam ?
sam
23 באוקטובר, 2018, 11:17am
3
Does any of this relate to your CSP work @xrav3nz ?
2 לייקים
My guess is that your front server is adding the extra header.
xrav3nz
23 באוקטובר, 2018, 5:36pm
6
Nope, I double checked by looking at some instances without the latest CSP changes.
The duplicated (strict-origin-when-cross-origin) seems to be a Rails default
config.action_dispatch.use_authenticated_cookie_encryption = false
config.action_dispatch.use_cookies_with_metadata = false
config.action_dispatch.perform_deep_munge = true
config.action_dispatch.default_headers = {
"X-Frame-Options" => "SAMEORIGIN",
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff",
"X-Download-Options" => "noopen",
"X-Permitted-Cross-Domain-Policies" => "none",
"Referrer-Policy" => "strict-origin-when-cross-origin"
}
config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
config.eager_load_namespaces << ActionDispatch
initializer "action_dispatch.configure" do |app|
ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge
4 לייקים
Then removing line 264 should fix it?
sam
23 באוקטובר, 2018, 9:36pm
8
Sure, might as well remove it… doing so now
committed 09:38PM - 23 Oct 18 UTC
Rails already ships with strict-origin-when-cross-origin, no need
to also add no… -referrer-when-downgrade
see: https://meta.discourse.org/t/harden-referrer-policy-header/100172
2 לייקים
Excellent, good find @hellekin
@sam don’t forget discourse_docker
Thanks @codinghorror .
3 לייקים
sam
25 באוקטובר, 2018, 7:00am
12
This topic was automatically closed after 33 hours. New replies are no longer allowed.
