Referrer-Policy: same-origin (#6303)

* Referrer-Policy: same-origin

* same-origin for our own images

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

app/install.php

@@ -5,6 +5,7 @@ if (function_exists('opcache_reset')) {
 	opcache_reset();
 }
 header("Content-Security-Policy: default-src 'self'");
+header('Referrer-Policy: same-origin');
 
 require(LIB_PATH . '/lib_install.php');
 

lib/lib_rss.php

@@ -981,6 +981,7 @@ function errorMessageInfo(string $errorTitle, string $error = ''): string {
 	}
 
 	header("Content-Security-Policy: default-src 'self'");
+	header('Referrer-Policy: same-origin');
 
 	return <<<MSG
 	<!DOCTYPE html><html><header><title>HTTP 500: {$errorTitle}</title></header><body>

p/.htaccess

@@ -41,6 +41,7 @@ AddDefaultCharset	UTF-8
 		Header	merge Cache-Control "public"
 	</FilesMatch>
 	Header edit Set-Cookie ^(.*)$ "$1; SameSite=Lax"
+	Header set Referrer-Policy "same-origin"
 </IfModule>
 
 # Provide the true IP address of the connection (e.g. last proxy), even when using mod_remoteip

p/ext.php

@@ -112,6 +112,7 @@ if (!is_valid_path($absolute_filename)) {
 $content_type = SUPPORTED_TYPES[$file_type];
 header("Content-Type: {$content_type}");
 header("Content-Disposition: inline; filename='{$file_name}'");
+header('Referrer-Policy: same-origin');
 
 $mtime = @filemtime($absolute_filename);
 if ($mtime === false) {