Send X-DNS-Prefetch-Control: off header to browsers to prevent information

leakage when Firefox does DNS prefetching for URL's contained in emails.
https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13903 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 00f1a2dd79b04476e30750a8d5eadb25e5fa1fbf..ee541246075e865492718074f4dd9bafea208c2b 100644 (file)
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -333,6 +333,8 @@ Version 1.5.2 - SVN
   - Encoded From headers now properly quoted (#2830141).
   - Multibyte strings (notably subjects) are now handled correctly (#2824813,
     #2925731).
+  - Send X-DNS-Prefetch-Control: off header to browsers to prevent information
+    leakage when Firefox does DNS prefetching for URL's contained in emails.
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------

diff --git a/functions/page_header.php b/functions/page_header.php
index 1311893eda3dfc98f486121306665b1c7a27cbff..744b26d6717df4e01eb2180174c20b57efc21ad6 100644 (file)
--- a/functions/page_header.php
+++ b/functions/page_header.php
@@ -40,6 +40,9 @@ function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE
 //FIXME: should change all header() calls in SM core to use $oTemplate->header()!!
     $oTemplate->header('Pragma: no-cache'); // http 1.0 (rfc1945)
     $oTemplate->header('Cache-Control: private, no-cache, no-store'); // http 1.1 (rfc2616)
+    /* prevent information leakage about read emails by forbidding Firefox
+     * to do preemptive DNS requests for any links in the message body. */
+    $oTemplate->header('X-DNS-Prefetch-Control: off');
 
     // don't show version as a security measure
     //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE);