- Affected version
- 2.3.0 RC 5
When accessing an external service like the IP information URL XenForo does perform a redirect to the target URL.
Depending on the used browser (version) and protocol (HTTP vs. HTTPS) this may leak the full URL of the page the service was accessed from.
The full URL may allow the service to draw conclusions relating the data (IP address, location, etc.) to a specific user at a specific time.
Suggested Mitigation
Add Response-Header
Depending on the used browser (version) and protocol (HTTP vs. HTTPS) this may leak the full URL of the page the service was accessed from.
The full URL may allow the service to draw conclusions relating the data (IP address, location, etc.) to a specific user at a specific time.
Suggested Mitigation
Add Response-Header
Referrer-Policy: no-referrer when performing those redirects to avoid supporting browsers (every major browser since 2020; way longer for Firefox, Chrome and Safari) to leak any information via header Referer
