From bugzilla-daemon@bugs.koha-community.org Mon Feb 24 16:02:44 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 24717] New: Koha should set a referrer policy Date: Mon, 24 Feb 2020 15:02:43 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2936814496668279372==" --===============2936814496668279372== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D24717 Bug ID: 24717 Summary: Koha should set a referrer policy Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: gmcharlt@gmail.com QA Contact: testopia@bugs.koha-community.org Koha should set a referrer policy [0] to restrict what is passed in the Refer= er header when external resources (e.g., cover images, added content of various stripes, electronic resources, external images and CSS, etc.) are embedded or navigated to. If a referrer policy is not set, the default policy of no-referrer-when-downgrade means that (say) the full referring URL, which can include record IDs and catalog search strings, will be sent to outside webservers providing external resources provided that loading the external resource doesn't mean downgrading from HTTPS to HTTP. Better values for the referrer policy include: * strict-origin-when-cross-origin * origin-when-cross-origin Values that might break current Koha functionality that inspects the Referer header include: * no-referrer * origin * strict-origin Values that might break legitimate inspection of the Referer header by servic= es that perform referring URL "authentication" include: * no-referrer * same-origin A referrer policy can be set in various ways: - Using a Referrer-Policy HTTP header configured at the Apache or NGINX level - Using a meta tag: - Using a referrerpolicy attribute in , , ,