From 82d6de254a3af0b73d7cbd39fd941bf8a954a87a Mon Sep 17 00:00:00 2001 From: kink Date: Sat, 13 Feb 2010 16:27:52 +0000 Subject: [PATCH] Send X-DNS-Prefetch-Control: off header to browsers to prevent information leakage when Firefox does DNS prefetching for URL's contained in emails. https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@13903 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- doc/ChangeLog | 2 ++ functions/page_header.php | 3 +++ 2 files changed, 5 insertions(+) diff --git a/doc/ChangeLog b/doc/ChangeLog index 00f1a2dd..ee541246 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -333,6 +333,8 @@ Version 1.5.2 - SVN - Encoded From headers now properly quoted (#2830141). - Multibyte strings (notably subjects) are now handled correctly (#2824813, #2925731). + - Send X-DNS-Prefetch-Control: off header to browsers to prevent information + leakage when Firefox does DNS prefetching for URL's contained in emails. Version 1.5.1 (branched on 2006-02-12) -------------------------------------- diff --git a/functions/page_header.php b/functions/page_header.php index 1311893e..744b26d6 100644 --- a/functions/page_header.php +++ b/functions/page_header.php @@ -40,6 +40,9 @@ function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE //FIXME: should change all header() calls in SM core to use $oTemplate->header()!! $oTemplate->header('Pragma: no-cache'); // http 1.0 (rfc1945) $oTemplate->header('Cache-Control: private, no-cache, no-store'); // http 1.1 (rfc2616) + /* prevent information leakage about read emails by forbidding Firefox + * to do preemptive DNS requests for any links in the message body. */ + $oTemplate->header('X-DNS-Prefetch-Control: off'); // don't show version as a security measure //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE); -- 2.25.1