Open vikingmedia opened 5 years ago
This header is already being sent, it will be up to your browser to honor it. Testing with firefox, it doesn't look like it does. Not sure there is a real big security problem here, maybe I'm wrong? ''' curl -s -I https://box.example.com/mail/ | grep x-dns-prefetch-control x-dns-prefetch-control: off '''
Hi @jvolkenant, I don't think it's a big issue, I thought I should mention in though. I can confirm, that the header is being sent.
Hi,
I just did a test of roundcube (mail-in-a-box 0.30) standard configuration on chromium/linux using https://www.emailprivacytester.com - it performed pretty well. Only two privacy related issues were detected:
Information on what that means is available at https://www.emailprivacytester.com. It seams this is a browser related issue, but dns prefetching can be disabled by adding some information in the HTML header. There has been a patch for roundcube (see https://github.com/roundcube/roundcubemail/issues/2639) in 2010. This may not be a big deal, but I thought I just sort of mention it, so maybe it can be mitigated in future releases.
Thanks, Erik