fix: Referrer-Policy no-referrer caused Origin: null on login
This commit is contained in:
parent
da99cfdb60
commit
ca52b2115b
1 changed files with 4 additions and 1 deletions
|
|
@ -80,7 +80,10 @@ async function main() {
|
|||
res.setHeader('X-Content-Type-Options', 'nosniff');
|
||||
// Clickjacking protection for the form-driven UI (login, upload, delete...).
|
||||
res.setHeader('X-Frame-Options', 'DENY');
|
||||
res.setHeader('Referrer-Policy', 'no-referrer');
|
||||
// NOTE: 'no-referrer' makes Chromium send `Origin: null` on form-POST navigations,
|
||||
// which then trips our checkOrigin CSRF guard. 'same-origin' keeps the referrer
|
||||
// hidden from external sites while preserving the Origin header for our own POSTs.
|
||||
res.setHeader('Referrer-Policy', 'same-origin');
|
||||
// No inline scripts (handlers live in /static/app.js); inline styles allowed for
|
||||
// the small dynamic bits (disk meter width). Blocks framing and foreign resources.
|
||||
res.setHeader(
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue