From cd83f9f0ebeefafac6d4be15abda83a0a5e1d1f4 Mon Sep 17 00:00:00 2001
From: mutantmonkey <mutantmonkey@mutantmonkey.in>
Date: Sun, 11 Oct 2015 23:31:57 -0700
Subject: [PATCH] fix CSP referrer policy

The policy of "referrer none" was incorrect and was nonfunctional. With
this change, the CSP referrer policy is set to origin, which
will causes only the origin to be sent for requests made from the main
site.

A fix was also needed for referrer checks in two places.
---
 csrf.go      | 6 ++++--
 fileserve.go | 3 ++-
 server.go    | 4 ++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/csrf.go b/csrf.go
index 5f8ca48..61799db 100644
--- a/csrf.go
+++ b/csrf.go
@@ -12,11 +12,13 @@ func strictReferrerCheck(r *http.Request, prefix string, whitelistHeaders []stri
 		}
 	}
 
-	if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, prefix) {
+	p := strings.TrimSuffix(prefix, "/")
+
+	if referrer := r.Header.Get("Referer"); !strings.HasPrefix(referrer, p) {
 		return false
 	}
 
-	if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, strings.TrimSuffix(prefix, "/")) {
+	if origin := r.Header.Get("Origin"); origin != "" && !strings.HasPrefix(origin, p) {
 		return false
 	}
 
diff --git a/fileserve.go b/fileserve.go
index d41523d..cc682ca 100644
--- a/fileserve.go
+++ b/fileserve.go
@@ -26,7 +26,8 @@ func fileServeHandler(c web.C, w http.ResponseWriter, r *http.Request) {
 
 	if !Config.allowHotlink {
 		referer := r.Header.Get("Referer")
-		if referer != "" && !strings.HasPrefix(referer, Config.siteURL) {
+		prefix := strings.TrimSuffix(Config.siteURL, "/")
+		if referer != "" && !strings.HasPrefix(referer, prefix) {
 			w.WriteHeader(403)
 			return
 		}
diff --git a/server.go b/server.go
index 4cb88e4..6f1b63e 100644
--- a/server.go
+++ b/server.go
@@ -184,10 +184,10 @@ func main() {
 	flag.StringVar(&Config.remoteAuthFile, "remoteauthfile", "",
 		"path to a file containing newline-separated scrypted auth keys for remote uploads")
 	flag.StringVar(&Config.contentSecurityPolicy, "contentsecuritypolicy",
-		"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer none;",
+		"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer origin;",
 		"value of default Content-Security-Policy header")
 	flag.StringVar(&Config.fileContentSecurityPolicy, "filecontentsecuritypolicy",
-		"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer none;",
+		"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; sandbox; referrer origin;",
 		"value of Content-Security-Policy header for file access")
 	flag.StringVar(&Config.xFrameOptions, "xframeoptions", "SAMEORIGIN",
 		"value of X-Frame-Options header")