diff options
| author | Dylan William Hardison <dylan@hardison.net> | 2018-02-20 15:11:48 +0100 |
|---|---|---|
| committer | Dylan William Hardison <dylan@hardison.net> | 2018-02-20 15:11:54 +0100 |
| commit | 3bd95a4452433e68b21935463cb9e6b07ff4e449 (patch) | |
| tree | 07ad59b04f34f9ecebcc167089e178c288326a7a /Bugzilla/CGI.pm | |
| parent | 9ceb2e0a1564aa2d059646bc704f21283507ac9e (diff) | |
| download | bugzilla-3bd95a4452433e68b21935463cb9e6b07ff4e449.tar.gz bugzilla-3bd95a4452433e68b21935463cb9e6b07ff4e449.tar.xz | |
Bug 1432296 - Prevent bugzilla static assets from being blocked by overly long request URIs
Diffstat (limited to 'Bugzilla/CGI.pm')
| -rw-r--r-- | Bugzilla/CGI.pm | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 651c31bad..35d6dd687 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -491,6 +491,11 @@ sub _prevent_unsafe_response { } } +sub should_block_referrer { + my ($self) = @_; + return length($self->self_url) > 8000; +} + # Override header so we can add the cookies in sub header { my $self = shift; @@ -570,15 +575,20 @@ sub header { # the MIME type away from the declared Content-Type. $headers{'-x_content_type_options'} = 'nosniff'; - my $csp = $self->content_security_policy; - $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable; - Bugzilla::Hook::process('cgi_headers', { cgi => $self, headers => \%headers } ); $self->{_header_done} = 1; if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) { + if ($self->should_block_referrer) { + $headers{'-referrer_policy'} = 'origin'; + } + my $csp = $self->content_security_policy; + if (defined $csp && !$csp->disable) { + $csp->add_cgi_headers(\%headers) + } + my @fonts = ( "skins/standard/fonts/FiraMono-Regular.woff2?v=3.202", "skins/standard/fonts/FiraSans-Bold.woff2?v=4.203", |