Friday 12th July 2019

Account Server Cross Domain Referrer Configuration

Abdullah Malik kindly reported a security issue through responsible disclosure that we fixed immediately.

The issue reported is that the Account Server and Console did not set a Referrer Policy HTTP header. This resulted in the visiting page's address, including for example Application ID and validation tokens with temporary validity, to be sent as Referrer header to hosts outside the origin, i.e. servers that host fonts and other website static content. We have mitigated this by setting a Referrer Policy.

We would like to thank Abdullah Malik for their report and making The Things Network a more secure place.