[Koha-bugs] [Bug 24717] New: Koha should set a referrer policy

Mon, 24 Feb 2020 07:02:53 -0800 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24717

            Bug ID: 24717
           Summary: Koha should set a referrer policy
 Change sponsored?: ---
           Product: Koha
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Architecture, internals, and plumbing
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]

Koha should set a referrer policy [0] to restrict what is passed in the Referer
header when external resources (e.g., cover images, added content of various
stripes, electronic resources, external images and CSS, etc.) are embedded or
navigated to.

If a referrer policy is not set, the default policy of
no-referrer-when-downgrade means that (say) the full referring URL, which can
include record IDs and catalog search strings, will be sent to outside
webservers providing external resources provided that loading the external
resource doesn't mean downgrading from HTTPS to HTTP.

Better values for the referrer policy include:

* strict-origin-when-cross-origin
* origin-when-cross-origin

Values that might break current Koha functionality that inspects the Referer
header include:

* no-referrer
* origin
* strict-origin

Values that might break legitimate inspection of the Referer header by services
that perform referring URL "authentication" include:

* no-referrer
* same-origin

A referrer policy can be set in various ways:

- Using a Referrer-Policy HTTP header configured at the Apache or NGINX level
- Using a meta tag:

<meta name="referrer" content="strict-origin-when-cross-origin">

- Using a referrerpolicy attribute in <a>, <area>, <img>, <iframe>, <script>,
or <link> tags
- Using a noreferrer link relation in <a>, <area>, or <link> elements.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to