New option cross_origin_referer to use origin only Referer

2021-04-10 22:29:18 +09:00
parent 4e0375c76f
commit 22d33dc8c9
3 changed files with 34 additions and 2 deletions
--- a/fm.h
+++ b/fm.h
@@ -1025,6 +1025,7 @@ global char *image_source init(NULL);
 #endif
 global char *UserAgent init(NULL);
 global int NoSendReferer init(FALSE);
+global int CrossOriginReferer init(TRUE);
 global char *AcceptLang init(NULL);
 global char *AcceptEncoding init(NULL);
 global char *AcceptMedia init(NULL);
--- a/rc.c
+++ b/rc.c
@@ -194,6 +194,7 @@ static int OptionEncode = FALSE;
 #endif				/* USE_MOUSE */
 #define CMT_CLEAR_BUF     N_("Free memory of undisplayed buffers")
 #define CMT_NOSENDREFERER N_("Suppress `Referer:' header")
+#define CMT_CROSSORIGINREFERER N_("Exclude pathname and query string from `Referer:' header when cross domain communication")
 #define CMT_IGNORE_CASE N_("Search case-insensitively")
 #define CMT_USE_LESSOPEN N_("Use LESSOPEN")
 #ifdef USE_SSL
@@ -678,6 +679,8 @@ struct param_ptr params9[] = {
    {"user_agent", P_STRING, PI_TEXT, (void *)&UserAgent, CMT_USERAGENT, NULL},
    {"no_referer", P_INT, PI_ONOFF, (void *)&NoSendReferer, CMT_NOSENDREFERER,
     NULL},
+    {"cross_origin_referer", P_INT, PI_ONOFF, (void *)&CrossOriginReferer,
+     CMT_CROSSORIGINREFERER, NULL},
    {"accept_language", P_STRING, PI_TEXT, (void *)&AcceptLang, CMT_ACCEPTLANG,
     NULL},
    {"accept_encoding", P_STRING, PI_TEXT, (void *)&AcceptEncoding,
--- a/url.c
+++ b/url.c
@@ -1374,6 +1374,21 @@ parsedURL2Str(ParsedURL *pu)
    return _parsedURL2Str(pu, FALSE, TRUE, TRUE);
 }

+static Str
+parsedURL2RefererOriginStr(ParsedURL *pu)
+{
+    Str s;
+    char *f = pu->file, *q = pu->query;
+
+    pu->file = NULL;
+    pu->query = NULL;
+    s = _parsedURL2Str(pu, FALSE, FALSE, FALSE);
+    pu->file = f;
+    pu->query = q;
+
+    return s;
+}
+
 Str
 parsedURL2RefererStr(ParsedURL *pu)
 {
@@ -1455,6 +1470,13 @@ otherinfo(ParsedURL *target, ParsedURL *current, char *referer)
    no_referer_ptr = query_SCONF_NO_REFERER_TO(target);
    no_referer = no_referer || (no_referer_ptr && *no_referer_ptr);
    if (!no_referer) {
+	int cross_origin = FALSE;
+	if (CrossOriginReferer && current && current->host &&
+	    (!target || !target->host ||
+	     strcasecmp(current->host, target->host) != 0 || 
+	     current->port != target->port ||
+	     current->scheme != target->scheme))
+	    cross_origin = TRUE;
 #ifdef USE_SSL
        if (current && current->scheme == SCM_HTTPS && target->scheme != SCM_HTTPS) {
 	  /* Don't send Referer: if https:// -> http:// */
@@ -1466,12 +1488,18 @@ otherinfo(ParsedURL *target, ParsedURL *current, char *referer)
 	    (current->scheme != SCM_FTP ||
 	     (current->user == NULL && current->pass == NULL))) {
 	    Strcat_charp(s, "Referer: ");
-	    Strcat(s, parsedURL2RefererStr(current));
+	    if (cross_origin)
+		Strcat(s, parsedURL2RefererOriginStr(current));
+	    else
+		Strcat(s, parsedURL2RefererStr(current));
 	    Strcat_charp(s, "\r\n");
 	}
 	else if (referer != NULL && referer != NO_REFERER) {
 	    Strcat_charp(s, "Referer: ");
-	    Strcat_charp(s, referer);
+	    if (cross_origin)
+		Strcat(s, parsedURL2RefererOriginStr(current));
+	    else
+		Strcat_charp(s, referer);
 	    Strcat_charp(s, "\r\n");
 	}
    }