http security: allow referrer-policy to be configured

author William Pitcock <nenolod@dereferenced.org>

Mon, 12 Nov 2018 15:14:46 +0000 (15:14 +0000)

committer William Pitcock <nenolod@dereferenced.org>

Mon, 12 Nov 2018 15:14:46 +0000 (15:14 +0000)
author William Pitcock <nenolod@dereferenced.org>
Mon, 12 Nov 2018 15:14:46 +0000 (15:14 +0000)
committer William Pitcock <nenolod@dereferenced.org>
Mon, 12 Nov 2018 15:14:46 +0000 (15:14 +0000)
diff --git a/config/config.exs b/config/config.exs

index be9c03ceba7dd6ea2197940d3fe048ce6ac39675..9cc55856463b41f2e36f49606404204bf5abed85 100644 (file)
--- a/config/config.exs
+++ b/config/config.exs
@@ -180,7 +180,8 @@ config :pleroma, :http_security,
    enabled: true,
    sts: false,
    sts_max_age: 31_536_000,
-  ct_max_age: 2_592_000
+  ct_max_age: 2_592_000,
+  referrer_policy: "same-origin"
  
  config :cors_plug,
    max_age: 86_400,
diff --git a/config/config.md b/config/config.md

index 48af1c236287bce8431aec6ed0d922afd18d70bd..5b4110646369c9526e052997f9015cb1ff856d0f 100644 (file)
--- a/config/config.md
+++ b/config/config.md
@@ -86,3 +86,4 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i
  * ``sts``: Whether to additionally send a `Strict-Transport-Security` header
  * ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent
  * ``ct_max_age``: The maximum age for the `Expect-CT` header if sent
+* ``referrer_policy``: The referrer policy to use, either `"same-origin"` or `"no-referrer"`.
diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex

index 8d652a2f34d9fe59210e3dcb3dbd86d7e9a2b49b..960c7f6bfb25774d05667e6a461f863f1903e433 100644 (file)
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@@ -15,12 +15,14 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
    end
  
    defp headers do
+    referrer_policy = Config.get([:http_security, :referrer_policy])
+
      [
        {"x-xss-protection", "1; mode=block"},
        {"x-permitted-cross-domain-policies", "none"},
        {"x-frame-options", "DENY"},
        {"x-content-type-options", "nosniff"},
-      {"referrer-policy", "same-origin"},
+      {"referrer-policy", referrer_policy},
        {"x-download-options", "noopen"},
        {"content-security-policy", csp_string() <> ";"}
      ]
diff --git a/test/plugs/http_security_plug_test.exs b/test/plugs/http_security_plug_test.exs

index 5268a1972f7caf7bca7b229c9ead3a54a031f301..55040a108b05835d1b8710fcafb441774ad9d095 100644 (file)
--- a/test/plugs/http_security_plug_test.exs
+++ b/test/plugs/http_security_plug_test.exs
@@ -58,4 +58,20 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
      assert Conn.get_resp_header(conn, "strict-transport-security") == []
      assert Conn.get_resp_header(conn, "expect-ct") == []
    end
+
+  test "referrer-policy header reflects configured value", %{conn: conn} do
+    conn =
+      conn
+      |> get("/api/v1/instance")
+
+    assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
+
+    Config.put([:http_security, :referrer_policy], "no-referrer")
+
+    conn =
+      build_conn()
+      |> get("/api/v1/instance")
+
+    assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
+  end
  end
author	William Pitcock <nenolod@dereferenced.org>
	Mon, 12 Nov 2018 15:14:46 +0000 (15:14 +0000)
committer	William Pitcock <nenolod@dereferenced.org>
	Mon, 12 Nov 2018 15:14:46 +0000 (15:14 +0000)
config/config.exs		patch \| blob \| history
config/config.md		patch \| blob \| history
lib/pleroma/plugs/http_security_plug.ex		patch \| blob \| history
test/plugs/http_security_plug_test.exs		patch \| blob \| history