diff options
author | Dylan William Hardison <dylan@hardison.net> | 2018-02-20 15:11:48 +0100 |
---|---|---|
committer | Dylan William Hardison <dylan@hardison.net> | 2018-02-20 15:11:54 +0100 |
commit | 3bd95a4452433e68b21935463cb9e6b07ff4e449 (patch) | |
tree | 07ad59b04f34f9ecebcc167089e178c288326a7a | |
parent | 9ceb2e0a1564aa2d059646bc704f21283507ac9e (diff) | |
download | bugzilla-3bd95a4452433e68b21935463cb9e6b07ff4e449.tar.gz bugzilla-3bd95a4452433e68b21935463cb9e6b07ff4e449.tar.xz |
Bug 1432296 - Prevent bugzilla static assets from being blocked by overly long request URIs
-rw-r--r-- | Bugzilla/CGI.pm | 16 | ||||
-rw-r--r-- | template/en/default/global/header.html.tmpl | 7 |
2 files changed, 19 insertions, 4 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 651c31bad..35d6dd687 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -491,6 +491,11 @@ sub _prevent_unsafe_response { } } +sub should_block_referrer { + my ($self) = @_; + return length($self->self_url) > 8000; +} + # Override header so we can add the cookies in sub header { my $self = shift; @@ -570,15 +575,20 @@ sub header { # the MIME type away from the declared Content-Type. $headers{'-x_content_type_options'} = 'nosniff'; - my $csp = $self->content_security_policy; - $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable; - Bugzilla::Hook::process('cgi_headers', { cgi => $self, headers => \%headers } ); $self->{_header_done} = 1; if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) { + if ($self->should_block_referrer) { + $headers{'-referrer_policy'} = 'origin'; + } + my $csp = $self->content_security_policy; + if (defined $csp && !$csp->disable) { + $csp->add_cgi_headers(\%headers) + } + my @fonts = ( "skins/standard/fonts/FiraMono-Regular.woff2?v=3.202", "skins/standard/fonts/FiraSans-Bold.woff2?v=4.203", diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index 04b996e16..428354233 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -98,6 +98,12 @@ <meta charset="UTF-8"> [% END %] + [% IF Bugzilla.cgi.should_block_referrer %] + <meta name="referrer" content="origin"> + [% ELSE %] + <meta name="referrer" content="origin-when-crossorigin"> + [% END %] + [%- js_BUGZILLA = { param => { maxusermatches => Param('maxusermatches'), @@ -206,7 +212,6 @@ [% IF allow_mobile && is_mobile_browser %] <meta name="viewport" content="width=device-width, initial-scale=1"> [% END %] - <meta name="referrer" content="origin-when-crossorigin"> [% Hook.process("additional_header") %] </head> |