Procházet zdrojové kódy

Update Referrer-Policy

Change origin-when-cross-origin to strict-origin-when-cross-origin.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Visman před 4 roky
rodič
revize
389838a249
3 změnil soubory, kde provedl 4 přidání a 4 odebrání
  1. 1 1
      .dist.htaccess
  2. 2 2
      app/config/main.dist.php
  3. 1 1
      public/.dist.htaccess

+ 1 - 1
.dist.htaccess

@@ -42,7 +42,7 @@ AddDefaultCharset UTF-8
   #
   Header always set Content-Security-Policy "default-src 'self';object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" "expr=-z %{resp:Content-Security-Policy}"
   Header always set Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" "expr=-z %{resp:Feature-Policy}"
-  Header always set Referrer-Policy "origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"
+  Header always set Referrer-Policy "strict-origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"
 #  Header set Strict-Transport-Security "max-age=31536000" "expr=-z %{resp:Strict-Transport-Security}"
   Header always set X-Content-Type-Options "nosniff" "expr=-z %{resp:X-Content-Type-Options}"
   Header always set X-Frame-Options "DENY" "expr=-z %{resp:X-Frame-Options}"

+ 2 - 2
app/config/main.dist.php

@@ -58,7 +58,7 @@ return [
             'X-Content-Type-Options'  => 'nosniff',
             'X-Frame-Options'         => 'DENY',
             'X-XSS-Protection'        => '1; mode=block',
-            'Referrer-Policy'         => 'origin-when-cross-origin',
+            'Referrer-Policy'         => 'strict-origin-when-cross-origin',
             'Content-Security-Policy' => 'default-src \'self\';img-src *;object-src \'none\';frame-ancestors \'none\';base-uri \'self\';form-action \'self\'',
             'Feature-Policy'          => 'accelerometer \'none\';ambient-light-sensor \'none\';autoplay \'none\';battery \'none\';camera \'none\';document-domain \'self\';fullscreen \'self\';geolocation \'none\';gyroscope \'none\';magnetometer \'none\';microphone \'none\';midi \'none\';payment \'none\';picture-in-picture \'none\';sync-xhr \'self\';usb \'none\'',
         ],
@@ -66,7 +66,7 @@ return [
             'X-Content-Type-Options'  => 'nosniff',
             'X-Frame-Options'         => 'DENY',
             'X-XSS-Protection'        => '1; mode=block',
-            'Referrer-Policy'         => 'origin-when-cross-origin',
+            'Referrer-Policy'         => 'strict-origin-when-cross-origin',
             'Content-Security-Policy' => 'default-src \'self\';object-src \'none\';frame-ancestors \'none\';base-uri \'self\';form-action \'self\'',
             'Feature-Policy'          => 'accelerometer \'none\';ambient-light-sensor \'none\';autoplay \'none\';battery \'none\';camera \'none\';document-domain \'self\';fullscreen \'self\';geolocation \'none\';gyroscope \'none\';magnetometer \'none\';microphone \'none\';midi \'none\';payment \'none\';picture-in-picture \'none\';sync-xhr \'self\';usb \'none\'',
         ],

+ 1 - 1
public/.dist.htaccess

@@ -42,7 +42,7 @@ AddDefaultCharset UTF-8
   #
   Header always set Content-Security-Policy "default-src 'self';object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" "expr=-z %{resp:Content-Security-Policy}"
   Header always set Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" "expr=-z %{resp:Feature-Policy}"
-  Header always set Referrer-Policy "origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"
+  Header always set Referrer-Policy "strict-origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"
 #  Header set Strict-Transport-Security "max-age=31536000" "expr=-z %{resp:Strict-Transport-Security}"
   Header always set X-Content-Type-Options "nosniff" "expr=-z %{resp:X-Content-Type-Options}"
   Header always set X-Frame-Options "DENY" "expr=-z %{resp:X-Frame-Options}"