Referrer-Policy header is overwritten

gerben

It looks like Cloudron hides apps’ Referrer-Policy HTTP header (in this line), replacing it with the rather lax value “no-referrer-when-downgrade”, which can result in private URLs leaking to third parties.

Example case that led to this discovery: We run HedgeDoc (which adds a “same-origin” policy); and just this week we found that, without us having published our pad’s URL anywhere, somebody had edited the pad after finding the URL in their server logs.

I am not sure what the ideal solution would be. Perhaps you may want to add your referrer policy only if the application did not already specify one?

nebulon

Moved this from support to feature request section.

I agree, I think it makes sense to only set the header if not sent from downstream (ie the app already)

Are there any other ideas how to maybe better control this behavior?

girish

@gerben thanks for reporting, I have fixed the default policy to same-origin now.

That said, I think we have to report this as a security issue upstream in HedgeDoc. I see that a locked mode doc should not be editable by guests but it is. A private mode doc should not be editable by other logged in users but it is. I will report this upstream and put a link here, but looks pretty serious.

girish

I seem to have imagined things, the permissions work perfectly.

@gerben Can you clarify how an anonymous user ended up editing a doc based on a link? Was it a "freely" permission ? BTW, you can disable anonymous entirely by editing /app/data/config.json and setting allowAnonymous to false.

gerben

@girish Indeed, the pad had ‘freely’ permission; but that should mean freely editable only to people knowing the URL. By clicking a link in the pad, the pad’s URL was made available to the owner of the linked website.