From f902a6314425b00706b7b559a08457e95edb8873 Mon Sep 17 00:00:00 2001 From: zzz Date: Fri, 23 Dec 2016 12:35:41 +0000 Subject: [PATCH] Console: Add Referrer-Policy header --- .../java/src/org/klomp/snark/web/I2PSnarkServlet.java | 1 + .../src/net/i2p/i2ptunnel/localServer/LocalHTTPServer.java | 1 + apps/i2ptunnel/jsp/edit.jsp | 1 + apps/i2ptunnel/jsp/index.jsp | 1 + apps/i2ptunnel/jsp/wizard.jsp | 1 + apps/routerconsole/jsp/css.jsi | 4 ++++ apps/susidns/src/jsp/addressbook.jsp | 1 + apps/susidns/src/jsp/config.jsp | 1 + apps/susidns/src/jsp/details.jsp | 1 + apps/susidns/src/jsp/index.jsp | 1 + apps/susidns/src/jsp/subscriptions.jsp | 1 + apps/susimail/src/src/i2p/susi/webmail/WebMail.java | 1 + installer/resources/proxy/ahelper-conflict-header.ht | 1 + installer/resources/proxy/ahelper-new-header.ht | 1 + installer/resources/proxy/dnfh-header.ht | 1 + 15 files changed, 18 insertions(+) diff --git a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java index 92e572b67..b983bca9e 100644 --- a/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java +++ b/apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java @@ -388,6 +388,7 @@ public class I2PSnarkServlet extends BasicServlet { resp.setHeader("X-Frame-Options", "SAMEORIGIN"); resp.setHeader("X-XSS-Protection", "1; mode=block"); resp.setHeader("X-Content-Type-Options", "nosniff"); + resp.setHeader("Referrer-Policy", "no-referrer"); } private void writeMessages(PrintWriter out, boolean isConfigure, String peerString) throws IOException { diff --git a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/localServer/LocalHTTPServer.java b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/localServer/LocalHTTPServer.java index bd84ac9ee..0aa2d1af2 100644 --- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/localServer/LocalHTTPServer.java +++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/localServer/LocalHTTPServer.java @@ -196,6 +196,7 @@ public abstract class LocalHTTPServer { tbook = book; out.write(("HTTP/1.1 200 OK\r\n"+ "Content-Type: text/html; charset=UTF-8\r\n"+ + "Referrer-Policy: no-referrer\r\n"+ "Connection: close\r\n"+ "Proxy-Connection: close\r\n"+ "\r\n"+ diff --git a/apps/i2ptunnel/jsp/edit.jsp b/apps/i2ptunnel/jsp/edit.jsp index 21fac1fc3..c1030a5c7 100644 --- a/apps/i2ptunnel/jsp/edit.jsp +++ b/apps/i2ptunnel/jsp/edit.jsp @@ -6,6 +6,7 @@ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("Referrer-Policy", "no-referrer"); %><%@page pageEncoding="UTF-8" %><%@page trimDirectiveWhitespaces="true" diff --git a/apps/i2ptunnel/jsp/index.jsp b/apps/i2ptunnel/jsp/index.jsp index de7ca8f31..f0faf2c94 100644 --- a/apps/i2ptunnel/jsp/index.jsp +++ b/apps/i2ptunnel/jsp/index.jsp @@ -9,6 +9,7 @@ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("Referrer-Policy", "no-referrer"); %><%@page pageEncoding="UTF-8" %><%@page trimDirectiveWhitespaces="true" diff --git a/apps/i2ptunnel/jsp/wizard.jsp b/apps/i2ptunnel/jsp/wizard.jsp index 1ce1c3190..b8d7afae9 100644 --- a/apps/i2ptunnel/jsp/wizard.jsp +++ b/apps/i2ptunnel/jsp/wizard.jsp @@ -9,6 +9,7 @@ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("Referrer-Policy", "no-referrer"); %><%@page pageEncoding="UTF-8" %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean" diff --git a/apps/routerconsole/jsp/css.jsi b/apps/routerconsole/jsp/css.jsi index 2b8b370eb..3e68d3621 100644 --- a/apps/routerconsole/jsp/css.jsi +++ b/apps/routerconsole/jsp/css.jsi @@ -36,6 +36,10 @@ response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); } + // https://www.w3.org/TR/referrer-policy/ + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + // As of Chrome 56, Firefox 50, Opera 43. "same-origin" not widely supported. + response.setHeader("Referrer-Policy", "no-referrer"); String conNonceParam = request.getParameter("consoleNonce"); if (net.i2p.router.web.CSSHelper.getNonce().equals(conNonceParam)) { diff --git a/apps/susidns/src/jsp/addressbook.jsp b/apps/susidns/src/jsp/addressbook.jsp index 99c01a583..a72382444 100644 --- a/apps/susidns/src/jsp/addressbook.jsp +++ b/apps/susidns/src/jsp/addressbook.jsp @@ -31,6 +31,7 @@ response.setHeader("Content-Security-Policy", "default-src 'self'"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("Referrer-Policy", "no-referrer"); %> <%@page pageEncoding="UTF-8"%> diff --git a/apps/susidns/src/jsp/config.jsp b/apps/susidns/src/jsp/config.jsp index ec3706d99..207f332bb 100644 --- a/apps/susidns/src/jsp/config.jsp +++ b/apps/susidns/src/jsp/config.jsp @@ -31,6 +31,7 @@ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("Referrer-Policy", "no-referrer"); %> <%@page pageEncoding="UTF-8"%> diff --git a/apps/susidns/src/jsp/details.jsp b/apps/susidns/src/jsp/details.jsp index 773c4cd6f..d463ea599 100644 --- a/apps/susidns/src/jsp/details.jsp +++ b/apps/susidns/src/jsp/details.jsp @@ -28,6 +28,7 @@ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("Referrer-Policy", "no-referrer"); %> <%@page pageEncoding="UTF-8"%> diff --git a/apps/susidns/src/jsp/index.jsp b/apps/susidns/src/jsp/index.jsp index 75851cd58..fa2e3a30a 100644 --- a/apps/susidns/src/jsp/index.jsp +++ b/apps/susidns/src/jsp/index.jsp @@ -31,6 +31,7 @@ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("Referrer-Policy", "no-referrer"); %> <%@page pageEncoding="UTF-8"%> diff --git a/apps/susidns/src/jsp/subscriptions.jsp b/apps/susidns/src/jsp/subscriptions.jsp index 8f6ee398e..d44212db5 100644 --- a/apps/susidns/src/jsp/subscriptions.jsp +++ b/apps/susidns/src/jsp/subscriptions.jsp @@ -31,6 +31,7 @@ response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("Referrer-Policy", "no-referrer"); %> <%@page pageEncoding="UTF-8"%> diff --git a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java index c9e5198d9..95f633282 100644 --- a/apps/susimail/src/src/i2p/susi/webmail/WebMail.java +++ b/apps/susimail/src/src/i2p/susi/webmail/WebMail.java @@ -1637,6 +1637,7 @@ public class WebMail extends HttpServlet response.setHeader("Content-Security-Policy", "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"); response.setHeader("X-XSS-Protection", "1; mode=block"); response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("Referrer-Policy", "no-referrer"); RequestWrapper request = new RequestWrapper( httpRequest ); SessionObject sessionObject = null; diff --git a/installer/resources/proxy/ahelper-conflict-header.ht b/installer/resources/proxy/ahelper-conflict-header.ht index 02dbac2ae..ea255aa4b 100644 --- a/installer/resources/proxy/ahelper-conflict-header.ht +++ b/installer/resources/proxy/ahelper-conflict-header.ht @@ -1,5 +1,6 @@ HTTP/1.1 409 Conflict Content-Type: text/html; charset=UTF-8 +Referrer-Policy: no-referrer Cache-control: no-cache Connection: close Proxy-Connection: close diff --git a/installer/resources/proxy/ahelper-new-header.ht b/installer/resources/proxy/ahelper-new-header.ht index 2ae585327..c21bd7892 100644 --- a/installer/resources/proxy/ahelper-new-header.ht +++ b/installer/resources/proxy/ahelper-new-header.ht @@ -1,5 +1,6 @@ HTTP/1.1 409 New Address Content-Type: text/html; charset=UTF-8 +Referrer-Policy: no-referrer Cache-control: no-cache Connection: close Proxy-Connection: close diff --git a/installer/resources/proxy/dnfh-header.ht b/installer/resources/proxy/dnfh-header.ht index 3fbfe070f..b03ecbc50 100644 --- a/installer/resources/proxy/dnfh-header.ht +++ b/installer/resources/proxy/dnfh-header.ht @@ -1,5 +1,6 @@ HTTP/1.1 500 Domain Not Found Content-Type: text/html; charset=UTF-8 +Referrer-Policy: no-referrer Cache-control: no-cache Connection: close Proxy-Connection: close