From bugzilla-daemon@bugs.koha-community.org Mon Feb 24 16:02:44 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 24717] New: Koha should set a referrer policy
Date: Mon, 24 Feb 2020 15:02:43 +0000
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2936814496668279372=="
--===============2936814496668279372==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D24717
Bug ID: 24717
Summary: Koha should set a referrer policy
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Architecture, internals, and plumbing
Assignee: koha-bugs@lists.koha-community.org
Reporter: gmcharlt@gmail.com
QA Contact: testopia@bugs.koha-community.org
Koha should set a referrer policy [0] to restrict what is passed in the Refer=
er
header when external resources (e.g., cover images, added content of various
stripes, electronic resources, external images and CSS, etc.) are embedded or
navigated to.
If a referrer policy is not set, the default policy of
no-referrer-when-downgrade means that (say) the full referring URL, which can
include record IDs and catalog search strings, will be sent to outside
webservers providing external resources provided that loading the external
resource doesn't mean downgrading from HTTPS to HTTP.
Better values for the referrer policy include:
* strict-origin-when-cross-origin
* origin-when-cross-origin
Values that might break current Koha functionality that inspects the Referer
header include:
* no-referrer
* origin
* strict-origin
Values that might break legitimate inspection of the Referer header by servic=
es
that perform referring URL "authentication" include:
* no-referrer
* same-origin
A referrer policy can be set in various ways:
- Using a Referrer-Policy HTTP header configured at the Apache or NGINX level
- Using a meta tag:
- Using a referrerpolicy attribute in , ,
,