From c61b33e56d313f50374edb51c8f0be5900484bab Mon Sep 17 00:00:00 2001
From: Robert Linder <26493779+Malvoz@users.noreply.github.com>
Date: Tue, 12 Nov 2019 15:46:56 +0100
Subject: [PATCH 1/4] Stricter default Referrer-Policy + expand applicable
media-types
---
src/security/referrer-policy.conf | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/src/security/referrer-policy.conf b/src/security/referrer-policy.conf
index 3d2a079e..e8a73d45 100644
--- a/src/security/referrer-policy.conf
+++ b/src/security/referrer-policy.conf
@@ -2,24 +2,23 @@
# | Referrer Policy |
# ----------------------------------------------------------------------
-# A web application uses HTTPS and a URL-based session identifier.
-# The web application might wish to link to HTTPS resources on other
-# web sites without leaking the user's session identifier in the URL.
+# Set a strict Referrer Policy to mitigate information leakage.
#
-# This can be done by setting a `Referrer Policy` which
-# whitelists trusted sources of content for your website.
+# (1) The `Referrer-Policy` header is included in all responses for
+# resources that are able to request other resources. This includes
+# the commonly used resource types:
+# HTML, XML/SVG, PDF documents, scripts and workers.
#
-# To check your referrer policy, you can use an online service
-# such as: https://securityheaders.io/.
+# To prevent referrer leakage entirely, specify the `no-referrer` value
+# instead. Note that the effect could impact analytics metrics negatively.
+#
+# To check your Referrer Policy, you can use an online service
+# such as: https://securityheaders.com/.
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
- # no-referrer-when-downgrade (default)
- # This should be the user agent's default behavior if no policy is
- # specified.The origin is sent as referrer to a-priori as-much-secure
- # destination (HTTPS->HTTPS), but isn't sent to a less secure destination
- # (HTTPS->HTTP).
- Header set Referrer-Policy "no-referrer-when-downgrade" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+ # (1)
+ Header set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
From 5d2ec2b90a504fd615e90b28880c00064974f094 Mon Sep 17 00:00:00 2001
From: Robert Linder <26493779+Malvoz@users.noreply.github.com>
Date: Fri, 15 Nov 2019 10:27:29 +0100
Subject: [PATCH 2/4] Update Referrer-Policy description
---
src/security/referrer-policy.conf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/referrer-policy.conf b/src/security/referrer-policy.conf
index e8a73d45..d7525253 100644
--- a/src/security/referrer-policy.conf
+++ b/src/security/referrer-policy.conf
@@ -5,8 +5,8 @@
# Set a strict Referrer Policy to mitigate information leakage.
#
# (1) The `Referrer-Policy` header is included in all responses for
-# resources that are able to request other resources. This includes
-# the commonly used resource types:
+# resources that are able to request or navigate to other resources.
+# This includes the commonly used resource types:
# HTML, XML/SVG, PDF documents, scripts and workers.
#
# To prevent referrer leakage entirely, specify the `no-referrer` value
From cf1a27da524f1cb6d7beffad0fad39dc7b563a39 Mon Sep 17 00:00:00 2001
From: Robert Linder <26493779+Malvoz@users.noreply.github.com>
Date: Sat, 16 Nov 2019 03:30:46 +0100
Subject: [PATCH 3/4] Update media-types for `Referrer-Policy`
---
src/security/referrer-policy.conf | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/security/referrer-policy.conf b/src/security/referrer-policy.conf
index d7525253..fda56357 100644
--- a/src/security/referrer-policy.conf
+++ b/src/security/referrer-policy.conf
@@ -7,18 +7,19 @@
# (1) The `Referrer-Policy` header is included in all responses for
# resources that are able to request or navigate to other resources.
# This includes the commonly used resource types:
-# HTML, XML/SVG, PDF documents, scripts and workers.
+# HTML, CSS, XML/SVG, PDF documents, scripts and workers.
#
# To prevent referrer leakage entirely, specify the `no-referrer` value
# instead. Note that the effect could impact analytics metrics negatively.
#
-# To check your Referrer Policy, you can use an online service
-# such as: https://securityheaders.com/.
+# To check your Referrer Policy, you can use an online service:
+# https://securityheaders.com/
+# https://observatory.mozilla.org/
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
# (1)
- Header set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
+ Header set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i"
From 1d18f20d936997e17f3f5988f06a0405ff1ff7e9 Mon Sep 17 00:00:00 2001
From: Robert Linder <26493779+Malvoz@users.noreply.github.com>
Date: Sat, 16 Nov 2019 03:41:02 +0100
Subject: [PATCH 4/4] Update `Referrer-Policy` description
---
src/security/referrer-policy.conf | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/security/referrer-policy.conf b/src/security/referrer-policy.conf
index fda56357..08bf70f4 100644
--- a/src/security/referrer-policy.conf
+++ b/src/security/referrer-policy.conf
@@ -4,15 +4,16 @@
# Set a strict Referrer Policy to mitigate information leakage.
#
-# (1) The `Referrer-Policy` header is included in all responses for
-# resources that are able to request or navigate to other resources.
+# (1) The `Referrer-Policy` header is included in responses for resources
+# that are able to request (or navigate to) other resources.
+#
# This includes the commonly used resource types:
# HTML, CSS, XML/SVG, PDF documents, scripts and workers.
#
# To prevent referrer leakage entirely, specify the `no-referrer` value
# instead. Note that the effect could impact analytics metrics negatively.
#
-# To check your Referrer Policy, you can use an online service:
+# To check your Referrer Policy, you can use an online service, such as:
# https://securityheaders.com/
# https://observatory.mozilla.org/
#