summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorJob Bautista <jobbautista9@protonmail.com>2022-07-25 18:56:46 +0800
committerJob Bautista <jobbautista9@protonmail.com>2022-07-25 18:56:46 +0800
commitb20b9797dcb42766f9ad114e3093cb241f4258a0 (patch)
tree3b15dbc4ab2ff9705755974a86c0ee8e2023b264 /modules
parent6542ca6bcdf836ee1fb82b75d77adb0e9604b97b (diff)
downloaduxp-b20b9797dcb42766f9ad114e3093cb241f4258a0.tar.gz
Issue #1975 - Implement Origin header CSRF mitigation.
Backported from Mozilla bug 446344.
Diffstat (limited to 'modules')
-rw-r--r--modules/libpref/init/all.js4
1 files changed, 4 insertions, 0 deletions
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index f391dd4739..d17082364a 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1462,6 +1462,10 @@ pref("network.http.referer.XOriginTrimmingPolicy", 0);
// 0=always send, 1=send iff base domains match, 2=send iff hosts match
pref("network.http.referer.XOriginPolicy", 0);
+// Include an origin header on non-GET and non-HEAD requests regardless of CORS
+// 0=never send, 1=send when same-origin only, 2=always send
+pref("network.http.sendOriginHeader", 0);
+
// Controls whether referrer attributes in <a>, <img>, <area>, <iframe>, and <link> are honoured
pref("network.http.enablePerElementReferrer", true);