Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)

Added 'common_headers' hook

.htaccess

@@ -64,5 +64,6 @@ Header set X-Robots-Tag "noindex, nofollow"
 # CSP - Content Security Policy
 # for better privacy/security ask browsers to not set the Referer
 # more flags for script, stylesheets and images available, read RFC for more information
+# Note: "Referrer-Policy: same-origin" is already set by php code.
 #Header set Content-Security-Policy "referrer no-referrer"
 </IfModule>

CHANGELOG

@@ -2,9 +2,11 @@ CHANGELOG Roundcube Webmail
 ===========================
 
 - SMTP GSSAPI support via krb_authentication plugin (#6417)
+- Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)
 - Removed referer_check option (#6440)
 - Update to TinyMCE 4.8.2
 - Plugin API: Added 'raise_error' hook (#6199)
+- Plugin API: Added 'common_headers' hook (#6385)
 - Managesieve: Added support for 'editheader' extension - RFC5293 (#5954)
 - Password: Added 'modoboa' driver (#6361)
 - Password: Fix bug where password_dovecotpw_with_method setting could be ignored (#6436)

index.php

@@ -44,7 +44,7 @@ $RCMAIL = rcmail::get_instance(0, $GLOBALS['env']);
 
 // Make the whole PHP output non-cacheable (#1487797)
 $RCMAIL->output->nocacheing_headers();
-$RCMAIL->output->common_headers();
+$RCMAIL->output->common_headers(!empty($_SESSION['user_id']));
 
 // turn on output buffering
 ob_start();

program/lib/Roundcube/rcube_output.php

@@ -175,25 +175,40 @@ abstract class rcube_output
     }
 
     /**
-     * Send browser compatibility/security/etc. headers
+     * Send browser compatibility/security/privacy headers
+     *
+     * @param bool $privacy Enable privacy headers
      */
-    public function common_headers()
+    public function common_headers($privacy = true)
     {
         if (headers_sent()) {
             return;
         }
 
+        $headers = array();
+
         // Unlock IE compatibility mode
         if ($this->browser->ie) {
-            header('X-UA-Compatible: IE=edge');
+            $headers['X-UA-Compatible'] = 'IE=edge';
         }
 
-        // Request browser to disable DNS prefetching (CVE-2010-0464)
-        header("X-DNS-Prefetch-Control: off");
+        if ($privacy) {
+            // Request browser to disable DNS prefetching (CVE-2010-0464)
+            $headers['X-DNS-Prefetch-Control'] = 'off';
+
+            // Request browser disable Referer (sic) header
+            $headers['Referrer-Policy'] = 'same-origin';
+        }
 
         // send CSRF and clickjacking protection headers
         if ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')) {
-            header('X-Frame-Options: ' . $xframe);
+            $headers['X-Frame-Options'] = $xframe;
+        }
+
+        $plugin = $this->app->plugins->exec_hook('common_headers', array('headers' => $headers, 'privacy' => $privacy));
+
+        foreach ($plugin['headers'] as $header => $value) {
+            header("$header: $value");
         }
     }