From ee5932a504d69e591aad7bdd52bd97d1f92d4e32 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Mon, 12 Nov 2018 15:14:46 +0000 Subject: [PATCH] http security: allow referrer-policy to be configured --- config/config.exs | 3 ++- config/config.md | 1 + lib/pleroma/plugs/http_security_plug.ex | 4 +++- test/plugs/http_security_plug_test.exs | 16 ++++++++++++++++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/config/config.exs b/config/config.exs index be9c03ceb..9cc558564 100644 --- a/config/config.exs +++ b/config/config.exs @@ -180,7 +180,8 @@ config :pleroma, :http_security, enabled: true, sts: false, sts_max_age: 31_536_000, - ct_max_age: 2_592_000 + ct_max_age: 2_592_000, + referrer_policy: "same-origin" config :cors_plug, max_age: 86_400, diff --git a/config/config.md b/config/config.md index 48af1c236..5b4110646 100644 --- a/config/config.md +++ b/config/config.md @@ -86,3 +86,4 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i * ``sts``: Whether to additionally send a `Strict-Transport-Security` header * ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent * ``ct_max_age``: The maximum age for the `Expect-CT` header if sent +* ``referrer_policy``: The referrer policy to use, either `"same-origin"` or `"no-referrer"`. diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index 8d652a2f3..960c7f6bf 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -15,12 +15,14 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do end defp headers do + referrer_policy = Config.get([:http_security, :referrer_policy]) + [ {"x-xss-protection", "1; mode=block"}, {"x-permitted-cross-domain-policies", "none"}, {"x-frame-options", "DENY"}, {"x-content-type-options", "nosniff"}, - {"referrer-policy", "same-origin"}, + {"referrer-policy", referrer_policy}, {"x-download-options", "noopen"}, {"content-security-policy", csp_string() <> ";"} ] diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs index 5268a1972..55040a108 100644 --- a/test/plugs/http_security_plug_test.exs +++ b/test/plugs/http_security_plug_test.exs @@ -58,4 +58,20 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do assert Conn.get_resp_header(conn, "strict-transport-security") == [] assert Conn.get_resp_header(conn, "expect-ct") == [] end + + test "referrer-policy header reflects configured value", %{conn: conn} do + conn = + conn + |> get("/api/v1/instance") + + assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"] + + Config.put([:http_security, :referrer_policy], "no-referrer") + + conn = + build_conn() + |> get("/api/v1/instance") + + assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"] + end end