0005252: sogo's default configuration doesn't set a Referrer-Policy - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0005252	SOGo	Web Mail	public	2021-01-26 15:41	2021-03-12 22:41

Reporter	abma	Assigned To	francis
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	5.0.1

Summary	0005252: sogo's default configuration doesn't set a Referrer-Policy
Description	sogo in its default configuration doesn't set a Referrer-Policy. for privacy reason this should be done.
Steps To Reproduce	go to demo.sogo.nu write a mail place a link to https://www.whatismyreferer.com/ save the mail open the saved mail, klick the link and see https://demo.sogo.nu/SOGo/so/sogo1/Mail/view as "Your HTTP referer".
Additional Information	for apache2 i suggest to set these headers in SOGo.conf: Header always set Referrer-Policy "same-origin" Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' img-src 'self' data: script-src 'self' 'unsafe-eval' frame-src 'self'"
Tags	No tags attached.

Date Modified	Username	Field	Change
2021-01-26 15:41	abma	New Issue
2021-03-12 22:34	francis	Changeset attached	=> sogo master 22b6b4bb
2021-03-12 22:34	francis	Assigned To	=> francis
2021-03-12 22:34	francis	Resolution	open => fixed
2021-03-12 22:41	francis	Status	new => resolved
2021-03-12 22:41	francis	Note Added: 0015140

sogo: master 22b6b4bb 2021-03-12 17:21 francis Details Diff	chore(Apache): Don't send the Referer header for cross-origin requests Fixes 0005252		Affected Issues 0005252
	mod - Apache/SOGo.conf		Diff File

francis 2021-03-12 22:41 administrator ~0015140	SOGo is not ready for CSP yet. But I added the Referrer Policy. Thanks!