summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/CGI.pm16
-rw-r--r--template/en/default/global/header.html.tmpl7
2 files changed, 19 insertions, 4 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 651c31bad..35d6dd687 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -491,6 +491,11 @@ sub _prevent_unsafe_response {
}
}
+sub should_block_referrer {
+ my ($self) = @_;
+ return length($self->self_url) > 8000;
+}
+
# Override header so we can add the cookies in
sub header {
my $self = shift;
@@ -570,15 +575,20 @@ sub header {
# the MIME type away from the declared Content-Type.
$headers{'-x_content_type_options'} = 'nosniff';
- my $csp = $self->content_security_policy;
- $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable;
-
Bugzilla::Hook::process('cgi_headers',
{ cgi => $self, headers => \%headers }
);
$self->{_header_done} = 1;
if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) {
+ if ($self->should_block_referrer) {
+ $headers{'-referrer_policy'} = 'origin';
+ }
+ my $csp = $self->content_security_policy;
+ if (defined $csp && !$csp->disable) {
+ $csp->add_cgi_headers(\%headers)
+ }
+
my @fonts = (
"skins/standard/fonts/FiraMono-Regular.woff2?v=3.202",
"skins/standard/fonts/FiraSans-Bold.woff2?v=4.203",
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index 04b996e16..428354233 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -98,6 +98,12 @@
<meta charset="UTF-8">
[% END %]
+ [% IF Bugzilla.cgi.should_block_referrer %]
+ <meta name="referrer" content="origin">
+ [% ELSE %]
+ <meta name="referrer" content="origin-when-crossorigin">
+ [% END %]
+
[%- js_BUGZILLA = {
param => {
maxusermatches => Param('maxusermatches'),
@@ -206,7 +212,6 @@
[% IF allow_mobile && is_mobile_browser %]
<meta name="viewport" content="width=device-width, initial-scale=1">
[% END %]
- <meta name="referrer" content="origin-when-crossorigin">
[% Hook.process("additional_header") %]
</head>