Prevent referrer to be send

Uses both CSP and Referrer-Policy
Fixes #96
This commit is contained in:
rugk 2016-09-03 18:12:24 +02:00
parent b7184b92a3
commit 1a159c973f
No known key found for this signature in database
GPG Key ID: 05D40A636AFAB34D
9 changed files with 26 additions and 3 deletions

View File

@ -1,5 +1,5 @@
; config file for PrivateBin ; config file for PrivateBin
; ;
; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration. ; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
[main] [main]
@ -60,7 +60,7 @@ languageselection = false
; custom scripts from third-party domains to your templates, e.g. tracking ; custom scripts from third-party domains to your templates, e.g. tracking
; scripts or run your site behind certain DDoS-protection services. ; scripts or run your site behind certain DDoS-protection services.
; Check the documentation at https://content-security-policy.com/ ; Check the documentation at https://content-security-policy.com/
cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:;" cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer;"
; stay compatible with PrivateBin Alpha 0.19, less secure ; stay compatible with PrivateBin Alpha 0.19, less secure
; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of

View File

@ -51,7 +51,7 @@ class Configuration
'languagedefault' => '', 'languagedefault' => '',
'urlshortener' => '', 'urlshortener' => '',
'icon' => 'identicon', 'icon' => 'identicon',
'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:;', 'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer;',
'zerobincompatibility' => false, 'zerobincompatibility' => false,
), ),
'expire' => array( 'expire' => array(

17
test.php Executable file
View File

@ -0,0 +1,17 @@
<?php
$RandomCompat_basedir = ini_get('open_basedir');
if (!empty($RandomCompat_basedir)) {
$RandomCompat_open_basedir = explode(
PATH_SEPARATOR,
strtolower($RandomCompat_basedir)
);
$RandomCompatUrandom = (array() !== array_intersect(
array('/dev', '/dev/', '/dev/urandom'),
$RandomCompat_open_basedir
));
$RandomCompat_open_basedir = null;
}
var_dump($RandomCompat_basedir);
var_dump($RandomCompat_open_basedir);
?>

View File

@ -7,6 +7,7 @@ use PrivateBin\I18n;
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex" /> <meta name="robots" content="noindex" />
<meta name="referrer" content="no-referrer">
<title><?php echo I18n::_('PrivateBin'); ?></title> <title><?php echo I18n::_('PrivateBin'); ?></title>
<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-3.3.5.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-3.3.5.css" />
<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />

View File

@ -7,6 +7,7 @@ use PrivateBin\I18n;
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex" /> <meta name="robots" content="noindex" />
<meta name="referrer" content="no-referrer">
<title><?php echo I18n::_('PrivateBin'); ?></title> <title><?php echo I18n::_('PrivateBin'); ?></title>
<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />
<link type="text/css" rel="stylesheet" href="css/bootstrap/darkstrap-0.9.3.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/darkstrap-0.9.3.css" />

View File

@ -7,6 +7,7 @@ use PrivateBin\I18n;
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex" /> <meta name="robots" content="noindex" />
<meta name="referrer" content="no-referrer">
<title><?php echo I18n::_('PrivateBin'); ?></title> <title><?php echo I18n::_('PrivateBin'); ?></title>
<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />
<link type="text/css" rel="stylesheet" href="css/bootstrap/darkstrap-0.9.3.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/darkstrap-0.9.3.css" />

View File

@ -7,6 +7,7 @@ use PrivateBin\I18n;
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex" /> <meta name="robots" content="noindex" />
<meta name="referrer" content="no-referrer">
<title><?php echo I18n::_('PrivateBin'); ?></title> <title><?php echo I18n::_('PrivateBin'); ?></title>
<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-3.3.5.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-3.3.5.css" />
<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />

View File

@ -7,6 +7,7 @@ use PrivateBin\I18n;
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex" /> <meta name="robots" content="noindex" />
<meta name="referrer" content="no-referrer">
<title><?php echo I18n::_('PrivateBin'); ?></title> <title><?php echo I18n::_('PrivateBin'); ?></title>
<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-3.3.5.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-3.3.5.css" />
<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" /> <link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />

View File

@ -5,6 +5,7 @@ use PrivateBin\I18n;
<head> <head>
<meta charset="utf-8" /> <meta charset="utf-8" />
<meta name="robots" content="noindex" /> <meta name="robots" content="noindex" />
<meta name="referrer" content="no-referrer">
<title><?php echo I18n::_('PrivateBin'); ?></title> <title><?php echo I18n::_('PrivateBin'); ?></title>
<link type="text/css" rel="stylesheet" href="css/privatebin.css?<?php echo rawurlencode($VERSION); ?>" /> <link type="text/css" rel="stylesheet" href="css/privatebin.css?<?php echo rawurlencode($VERSION); ?>" />
<?php <?php