From b4623c8975682b6c01468e776266f1f484e42a1c Mon Sep 17 00:00:00 2001 From: Peter Burnett Date: Wed, 3 Jun 2020 15:18:19 +1000 Subject: [PATCH] MDL-68820 web: Added referrer policy header setting --- admin/settings/security.php | 17 +++++++++++++++++ lang/en/admin.php | 3 +++ lib/weblib.php | 5 +++++ 3 files changed, 25 insertions(+) diff --git a/admin/settings/security.php b/admin/settings/security.php index d8dc48a9bae..77dfb4203dc 100644 --- a/admin/settings/security.php +++ b/admin/settings/security.php @@ -160,6 +160,23 @@ if ($hassiteconfig) { // speedup for non-admins, add all caps used on this page $temp->add(new admin_setting_configportlist('curlsecurityallowedport', new lang_string('curlsecurityallowedport', 'admin'), new lang_string('curlsecurityallowedportsyntax', 'admin'), "")); + + // HTTP Header referrer policy settings. + $referreroptions = [ + 'default' => get_string('referrernone', 'admin'), + 'no-referrer' => 'no-referrer', + 'no-referrer-when-downgrade' => 'no-referrer-when-downgrade', + 'origin' => 'origin', + 'origin-when-cross-origin' => 'origin-when-cross-origin', + 'same-origin' => 'same-origin', + 'strict-origin' => 'strict-origin', + 'strict-origin-when-cross-origin' => 'strict-origin-when-cross-origin', + 'unsafe-url' => 'unsafe-url', + ]; + $temp->add(new admin_setting_configselect('referrerpolicy', + new lang_string('referrerpolicy', 'admin'), + new lang_string('referrerpolicydesc', 'admin'), 'default', $referreroptions)); + $ADMIN->add('security', $temp); // "notifications" settingpage diff --git a/lang/en/admin.php b/lang/en/admin.php index d47cd39a47f..43da325e7a4 100644 --- a/lang/en/admin.php +++ b/lang/en/admin.php @@ -1068,6 +1068,9 @@ $string['purgeselectedcaches'] = 'Purge selected caches'; $string['purgeselectedcachesfinished'] = 'The selected caches were purged.'; $string['purgetemplates'] = 'Templates'; $string['purgethemecache'] = 'Themes'; +$string['referrernone'] = 'Browser default'; +$string['referrerpolicy'] = 'Referrer policy'; +$string['referrerpolicydesc'] = 'Set the referrer policy header to be included with responses from your site.'; $string['restorecourse'] = 'Restore course'; $string['restorernewroleid'] = 'Restorers\' role in courses'; $string['restorernewroleid_help'] = 'If the user does not already have the permission to manage the newly restored course, the user is automatically assigned this role and enrolled if necessary. Select "None" if you do not want restorers to be able to manage every restored course.'; diff --git a/lib/weblib.php b/lib/weblib.php index c7d3d2b0bb5..29ef0e7168d 100644 --- a/lib/weblib.php +++ b/lib/weblib.php @@ -2285,6 +2285,11 @@ function send_headers($contenttype, $cacheable = true) { if (empty($CFG->allowframembedding) && !core_useragent::is_moodle_app()) { @header('X-Frame-Options: sameorigin'); } + + // If referrer policy is set, add a referrer header. + if (!empty($CFG->referrerpolicy) && ($CFG->referrerpolicy !== 'default')) { + @header('Referrer-Policy: ' . $CFG->referrerpolicy); + } } /**