Restore Referer-Policy and wrap up MbedTLS changes

redbean will now set Referer-Policy to no-referrer-when-downgrade on text/html responses by default. There's better explanations on the bits of security redbean is offering. In short, it's 128+ for modern clients and 112+ for legacy. If the -B flag is used then it's 192+ for modern and 150+ for non-EC.
2025-05-23 13:52:28 +00:00 · 2021-08-03 22:42:17 -07:00 · 2021-08-03 22:42:17 -07:00 · df8ab0aa0c
commit df8ab0aa0c
parent 344d2dc356
32 changed files with 679 additions and 663 deletions
--- a/third_party/mbedtls/ssl_msg.c
+++ b/third_party/mbedtls/ssl_msg.c
@ -1270,9 +1270,13 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac(
    MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );

 #if 1
+    /*
+     * This code path strengthens the server against DOS attacks by
+     * weakening Internet Explorer sessions against Lucky Thirteen.
+     */
    MD_CHK( mbedtls_md_update( ctx, data + min_data_len, data_len_secret - min_data_len ) );
    MD_CHK( mbedtls_md_finish( ctx, output ) );
-#else  /* come on! */
+#else
    mbedtls_md_context_t aux;
    mbedtls_md_init( &aux );
    MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );