ReferrerPolicy

2025-12-17 22:14:26 +01:00 · 2018-07-12 02:38:08 +09:00
parent 5dd57c8064
commit 10ceddc709
3 changed files with 36 additions and 0 deletions
--- a/BTCPayServer/Controllers/InvoiceController.UI.cs
+++ b/BTCPayServer/Controllers/InvoiceController.UI.cs
@@ -175,6 +175,7 @@ namespace BTCPayServer.Controllers
        [Route("invoice")]
        [AcceptMediaTypeConstraint("application/bitcoin-paymentrequest", false)]
        [XFrameOptionsAttribute(null)]
+        [ReferrerPolicyAttribute("origin")]
        public async Task<IActionResult> Checkout(string invoiceId, string id = null, string paymentMethodId = null)
        {
            //Keep compatibility with Bitpay
--- a/BTCPayServer/Filters/ReferrerPolicyAttribute.cs
+++ b/BTCPayServer/Filters/ReferrerPolicyAttribute.cs
@@ -0,0 +1,34 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc.Filters;
+
+namespace BTCPayServer.Filters
+{
+    public interface IReferrerPolicy : IFilterMetadata { }
+    public class ReferrerPolicyAttribute : Attribute, IActionFilter
+    {
+        public ReferrerPolicyAttribute(string value)
+        {
+            Value = value;
+        }
+        public string Value { get; set; }
+        public void OnActionExecuted(ActionExecutedContext context)
+        {
+
+        }
+
+        public void OnActionExecuting(ActionExecutingContext context)
+        {
+            if (context.IsEffectivePolicy<ReferrerPolicyAttribute>(this))
+            {
+                var existing = context.HttpContext.Response.Headers["Referrer-Policy"].FirstOrDefault();
+                if (existing != null && Value == null)
+                    context.HttpContext.Response.Headers.Remove("Referrer-Policy");
+                else
+                    context.HttpContext.Response.Headers["Referrer-Policy"] = Value;
+            }
+        }
+    }
+}
--- a/BTCPayServer/Hosting/Startup.cs
+++ b/BTCPayServer/Hosting/Startup.cs
@@ -81,6 +81,7 @@ namespace BTCPayServer.Hosting
                o.Filters.Add(new XFrameOptionsAttribute("DENY"));
                o.Filters.Add(new XContentTypeOptionsAttribute("nosniff"));
                o.Filters.Add(new XXSSProtectionAttribute());
+                o.Filters.Add(new ReferrerPolicyAttribute("same-origin"));
            });

            services.Configure<IdentityOptions>(options =>