Add additional security headers to ACP requests

diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index 4a5d6a21937201b8d8692c72b175e0e3ae29a935..5dbcb3f313df7c08fbdf60e84baf4ddba80d1fdb 100644 (file)
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -92,6 +92,15 @@ class RequestHandler extends SingletonFactory
 
             $this->checkOfflineMode();
 
+            if (
+                $this->isACPRequest()
+                && !ApplicationHandler::getInstance()->isMultiDomainSetup()
+            ) {
+                \header('referrer-policy: same-origin');
+                \header('cross-origin-opener-policy: same-origin');
+                \header('cross-origin-resource-policy: same-site');
+            }
+
             // start request
             $result = $this->getActiveRequest()->execute();