View Issue Details

IDProjectCategoryView StatusLast Update
0005252SOGoWeb Mailpublic2021-03-12 17:41
Reporterabma Assigned Tofrancis  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version5.0.1 
Summary0005252: sogo's default configuration doesn't set a Referrer-Policy
Description

sogo in its default configuration doesn't set a Referrer-Policy. for privacy reason this should be done.

Steps To Reproduce

go to demo.sogo.nu
write a mail
place a link to https://www.whatismyreferer.com/
save the mail

open the saved mail, klick the link and see https://demo.sogo.nu/SOGo/so/sogo1/Mail/view as "Your HTTP referer".

Additional Information

for apache2 i suggest to set these headers in SOGo.conf:

Header always set Referrer-Policy "same-origin"
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' img-src 'self' data: script-src 'self' 'unsafe-eval' frame-src 'self'"

TagsNo tags attached.

Activities

francis

francis

2021-03-12 17:41

administrator   ~0015140

SOGo is not ready for CSP yet. But I added the Referrer Policy. Thanks!

Related Changesets

sogo: master 22b6b4bb

2021-03-12 17:21:13

francis

Details Diff
chore(Apache): Don't send the Referer header for cross-origin requests

Fixes 0005252
Affected Issues
0005252
mod - Apache/SOGo.conf Diff File

Issue History

Date Modified Username Field Change
2021-01-26 10:41 abma New Issue
2021-03-12 17:34 francis Changeset attached => sogo master 22b6b4bb
2021-03-12 17:34 francis Assigned To => francis
2021-03-12 17:34 francis Resolution open => fixed
2021-03-12 17:41 francis Status new => resolved
2021-03-12 17:41 francis Note Added: 0015140