Add a no_referrer setting to prevent browsers leaking information.

author Duncan <duncan@vtllf.org>

Sun, 2 Aug 2015 03:51:27 +0000 (06:51 +0300)

committer Berker Peksag <berker.peksag@gmail.com>

Sun, 2 Aug 2015 03:52:04 +0000 (06:52 +0300)
author Duncan <duncan@vtllf.org>
Sun, 2 Aug 2015 03:51:27 +0000 (06:51 +0300)
committer Berker Peksag <berker.peksag@gmail.com>
Sun, 2 Aug 2015 03:52:04 +0000 (06:52 +0300)
diff --git a/mediagoblin/config_spec.ini b/mediagoblin/config_spec.ini

index fd86700a44ab6f788fd9064129dcafaa2158a07c..0a8da73e345541129e9c9c2f4ea6d7d47a65a75e 100644 (file)
--- a/mediagoblin/config_spec.ini
+++ b/mediagoblin/config_spec.ini
@@ -86,6 +86,9 @@ allow_attachments = boolean(default=False)
  # Cookie stuff
  csrf_cookie_name = string(default='mediagoblin_csrftoken')
  
+# Set to true to prevent browsers leaking information through Referrers
+no_referrer = boolean(default=True)
+
  # Push stuff
  push_urls = string_list(default=list())
  
diff --git a/mediagoblin/templates/mediagoblin/base.html b/mediagoblin/templates/mediagoblin/base.html

index ddc38b3e34d536ee6d4acd5a892a23fc5731a2e7..778cc3f90989edfdb6bb99292fe51b756c3a1526 100644 (file)
--- a/mediagoblin/templates/mediagoblin/base.html
+++ b/mediagoblin/templates/mediagoblin/base.html
@@ -27,6 +27,9 @@
    <head>
      <meta charset="utf-8">
      <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    {% if app_config['no_referrer'] -%}
+      <meta name="referrer" content="no-referrer">
+    {%- endif %}
      <meta http-equiv="X-UA-Compatible" content="IE=Edge">
      <title>{% block title %}{{ app_config['html_title'] }}{% endblock %}</title>
      <link rel="stylesheet" type="text/css"
author	Duncan <duncan@vtllf.org>
	Sun, 2 Aug 2015 03:51:27 +0000 (06:51 +0300)
committer	Berker Peksag <berker.peksag@gmail.com>
	Sun, 2 Aug 2015 03:52:04 +0000 (06:52 +0300)
mediagoblin/config_spec.ini		patch \| blob \| blame \| history
mediagoblin/templates/mediagoblin/base.html		patch \| blob \| blame \| history