https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292018-09-22T09:58:43ZRedmineRedmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=874832018-09-22T09:58:43ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/24583">Feature #24583</a>: Remove HTTP Referer</i> added</li></ul> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=874852018-09-22T10:13:59ZGo MAEDA
<ul></ul><p>It is not a perfect solution because some browsers such as Edge 18 and Safari on iOS 12 don't support "origin-when-crossorigin" value for "referrer" meta tag.<br /><a class="external" href="https://caniuse.com/#search=referer">https://caniuse.com/#search=referer</a></p>
<p>However, adding the meta tag is effective to mitigate the security risk if users in the organization use Chrome, Firefox, or Safari.</p>
<pre><code class="diff syntaxhl"><span class="gh">Index: app/views/layouts/base.html.erb
===================================================================
</span><span class="gd">--- app/views/layouts/base.html.erb (revision 17495)
</span><span class="gi">+++ app/views/layouts/base.html.erb (working copy)
</span><span class="p">@@ -7,6 +7,7 @@</span>
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
<meta name="description" content="<%= Redmine::Info.app_name %>" />
<meta name="keywords" content="issue,bug,tracker" />
<span class="gi">+<meta name="referrer" content="origin-when-crossorigin" />
</span> <%= csrf_meta_tag %>
<%= favicon %>
<%= stylesheet_link_tag 'jquery/jquery-ui-1.11.0', 'application', 'responsive', :media => 'all' %>
</code></pre> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=874862018-09-22T11:23:37ZGo MAEDA
<ul><li><strong>Target version</strong> set to <i>Candidate for next major release</i></li></ul> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=875842018-09-25T21:26:10ZGo MAEDA
<ul><li><strong>Target version</strong> changed from <i>Candidate for next major release</i> to <i>4.1.0</i></li></ul><p>Setting target version to 4.1.0.</p> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=876562018-09-29T02:16:11ZGo MAEDA
<ul></ul><p>Maybe adding Referrer-Policy header is preferable rather than adding a meta-tag for the following reasons.</p>
<ul>
<li>We can ensure that the header is always set</li>
<li>Sysadmins can easily override the header by configuring web servers if necessary</li>
</ul>
<pre><code class="diff syntaxhl"><span class="gh">diff --git a/config/application.rb b/config/application.rb
index d77d37e70..3e014f480 100644
</span><span class="gd">--- a/config/application.rb
</span><span class="gi">+++ b/config/application.rb
</span><span class="p">@@ -53,6 +53,8 @@</span> module RedmineApp
# Sets the Content-Length header on responses with fixed-length bodies
config.middleware.insert_after Rack::Sendfile, Rack::ContentLength
+ config.action_dispatch.default_headers['Referrer-Policy'] = 'origin-when-cross-origin'
<span class="gi">+
</span> # Verify validity of user sessions
config.redmine_verify_sessions = true
</code></pre> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=877232018-10-01T08:05:31ZGregor Schmidtschmidt@nach-vorne.eu
<ul></ul><p>This seems to be a sensible improvement. It does not impact the behavior for users on IE/Edge, but it improves privacy for users of Chrome, Firefox, Safari.</p>
<p>I also agree, that using an HTTP header is the better option.</p>
<p>However, I am not sure whether <code>same-origin</code> or <code>origin-when-cross-origin</code> would be the better default.</p> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=877402018-10-01T15:31:53ZHolger Just
<ul></ul><p>The most secure variant would probably be <code>strict-origin-when-cross-origin</code> which seems to be supported by the same current set of commonly used browsers which support <code>origin-when-cross-origin</code>. Compared to the shorter option, the strict one ensures that we don't sent any referrer from a secure page to an unsecure page, similar to the default <code>no-referrer-when-downgrade</code>.</p>
<p>As such, I vote for <code>strict-origin-when-cross-origin</code>. That way, we can still leverage the use of referrers locally (e.g. through log analysis) but don't leak potentially private data to external sites.</p>
<p>If we also want to specifically support IE, we should use <code>origin</code>. However, this would impact most local log analyzer software people might use on their Redmine installations as user flows can not be followed anymore. Thus, I think it's a reasonable tradeoff to use <code>origin-when-cross-origin</code> with most users and to accept the potential leaks for IE/Edge users (until Microsoft and Apple implement the current spec in Edge and Safari/iOS).</p>
<p>I'm with Maeda-san and Greger to use a header instead of a meta tag.</p> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=877602018-10-02T07:36:46ZEbrahim Mohammadi
<ul></ul><p>Using Referrer-Policy HTTP header is a great idea.</p> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=877622018-10-02T08:14:13ZGregor Schmidtschmidt@nach-vorne.eu
<ul></ul><p>Holger Just wrote:</p>
<blockquote>
<p>If we also want to specifically support IE, we should use <code>origin</code>. However, this would impact most local log analyzer software people might use on their Redmine installations as user flows can not be followed anymore. Thus, I think it's a reasonable tradeoff to use <code>origin-when-cross-origin</code> with most users and to accept the potential leaks for IE/Edge users (until Microsoft and Apple implement the current spec in Edge and Safari/iOS).</p>
</blockquote>
<p>Whatever you decide to use in the end, please <strong>don't</strong> use <code>origin</code>, since it would not only affect logs, but Redmine itself relies on the <code>Referer</code> header, whenever it uses <code>redirect :back</code>.</p>
<p>When using <code>origin</code>, this would result in a redirect to the main page. The fallback specified for <code>redirect_back_or_default</code> would not be used, since a <code>Referer</code> header is present. This would result in a serious negative impact on the user flow.</p> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=877642018-10-02T09:24:08ZLudovic Andrieux
<ul></ul><p>Hi,</p>
<p>If you look at HTTP Headers, could you have a look to <a class="issue tracker-2 status-1 priority-4 priority-default" title="Feature: Support header Content Security Policy (New)" href="https://www.redmine.org/issues/29405">#29405</a></p>
<p>Best regards</p> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=877652018-10-02T09:49:14ZGo MAEDA
<ul></ul><p>Holger Just wrote:</p>
<blockquote>
<p>The most secure variant would probably be <code>strict-origin-when-cross-origin</code> which seems to be supported by the same current set of commonly used browsers which support <code>origin-when-cross-origin</code>. Compared to the shorter option, the strict one ensures that we don't sent any referrer from a secure page to an unsecure page, similar to the default <code>no-referrer-when-downgrade</code>.</p>
</blockquote>
<p>Thank you for the detailed explanation. Now I think <code>strict-origin-when-cross-origin</code> is the best. We should not use looser option than default <code>no-referrer-when-downgrade</code>.</p>
<pre><code class="diff syntaxhl"><span class="gh">Index: config/application.rb
===================================================================
</span><span class="gd">--- config/application.rb (revision 17559)
</span><span class="gi">+++ config/application.rb (working copy)
</span><span class="p">@@ -53,6 +53,10 @@</span>
# Sets the Content-Length header on responses with fixed-length bodies
config.middleware.insert_after Rack::Sendfile, Rack::ContentLength
+ # Strip path information in the Referer header to prevent sending
<span class="gi">+ # private data to external sites
+ config.action_dispatch.default_headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
+
</span> # Verify validity of user sessions
config.redmine_verify_sessions = true
</code></pre> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=877692018-10-02T10:48:11ZGo MAEDA
<ul><li><strong>Subject</strong> changed from <i>Control over HTTP Referrer Configuration</i> to <i>Add Referrer-Policy header to prevent browsers from sending private data to external sites</i></li><li><strong>Assignee</strong> set to <i>Jean-Philippe Lang</i></li></ul> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=892022019-01-01T16:21:08ZAlexander Meindl
<ul></ul><p>It looks like <em>strict-origin-when-cross-origin</em> is already set by Rails 5 default settings, see <a class="external" href="https://guides.rubyonrails.org/security.html#content-security-policy">https://guides.rubyonrails.org/security.html#content-security-policy</a></p> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=892032019-01-02T01:13:23ZGo MAEDA
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Assignee</strong> deleted (<del><i>Jean-Philippe Lang</i></del>)</li><li><strong>Target version</strong> deleted (<del><i>4.1.0</i></del>)</li><li><strong>Resolution</strong> set to <i>Fixed</i></li></ul><p>Alexander Meindl wrote:</p>
<blockquote>
<p>It looks like <em>strict-origin-when-cross-origin</em> is already set by Rails 5 default settings, see <a class="external" href="https://guides.rubyonrails.org/security.html#content-security-policy">https://guides.rubyonrails.org/security.html#content-security-policy</a></p>
</blockquote>
<p>You are right. Thank you for pointing it out. Since Redmine 4.0.0 adds the header by default, we can close this issue.</p>
<p>I confirmed that <code>"Referrer-Policy"=>"strict-origin-when-cross-origin"</code> is included in <code>default_headers</code> and the header sent by Redmine 4.0.0 has Referrer-Policy field.</p>
<pre>
$ bin/rails r 'p Rails.application.config.action_dispatch.default_headers["Referrer-Policy"]'
"strict-origin-when-cross-origin"
</pre> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=892052019-01-02T05:22:14ZMarius BĂLTEANU
<ul><li><strong>Related to</strong> <i><a class="issue tracker-3 status-5 priority-4 priority-default closed" href="/issues/28933">Patch #28933</a>: Migrate to Rails 5.2</i> added</li></ul> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=892072019-01-02T05:22:55ZMarius BĂLTEANU
<ul><li><strong>Related to</strong> deleted (<i><a class="issue tracker-3 status-5 priority-4 priority-default closed" href="/issues/28933">Patch #28933</a>: Migrate to Rails 5.2</i>)</li></ul> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=892092019-01-02T05:23:15ZMarius BĂLTEANU
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/23630">Feature #23630</a>: Migrate to Rails 5.2</i> added</li></ul> Redmine - Feature #29660: Add Referrer-Policy header to prevent browsers from sending private data to external siteshttps://www.redmine.org/issues/29660?journal_id=930302019-08-10T06:42:52ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/14648">Feature #14648</a>: Add a link dispatcher to textile texts</i> added</li></ul>