Send X-DNS-Prefetch-Control: off header to browsers to prevent information
authorkink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Sat, 13 Feb 2010 16:27:52 +0000 (16:27 +0000)
committerkink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Sat, 13 Feb 2010 16:27:52 +0000 (16:27 +0000)
leakage when Firefox does DNS prefetching for URL's contained in emails.
https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13903 7612ce4b-ef26-0410-bec9-ea0150e637f0

doc/ChangeLog
functions/page_header.php

index 00f1a2d..ee54124 100644 (file)
@@ -333,6 +333,8 @@ Version 1.5.2 - SVN
   - Encoded From headers now properly quoted (#2830141).
   - Multibyte strings (notably subjects) are now handled correctly (#2824813,
     #2925731).
+  - Send X-DNS-Prefetch-Control: off header to browsers to prevent information
+    leakage when Firefox does DNS prefetching for URL's contained in emails.
 
 Version 1.5.1 (branched on 2006-02-12)
 --------------------------------------
index 1311893..744b26d 100644 (file)
@@ -40,6 +40,9 @@ function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE
 //FIXME: should change all header() calls in SM core to use $oTemplate->header()!!
     $oTemplate->header('Pragma: no-cache'); // http 1.0 (rfc1945)
     $oTemplate->header('Cache-Control: private, no-cache, no-store'); // http 1.1 (rfc2616)
+    /* prevent information leakage about read emails by forbidding Firefox
+     * to do preemptive DNS requests for any links in the message body. */
+    $oTemplate->header('X-DNS-Prefetch-Control: off');
 
     // don't show version as a security measure
     //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE);