Add "Referrer-Policy: no-referrer" to standard HTTP headers

Summary: Ref T4340. Some browsers respect this header and referrers are a plague upon the earth. Also, upgrade "never" to the more modern value "no-referrer". Test Plan: In Safari, Firefox and Chrome, disabled `rel="noreferrer"` on links and generated a normal link to an external site. Then clicked it and checked if a referrer was sent. - Safari respects meta only, but "no-referrer" is fine. - Firefox respects both (either the header or meta tag are individually sufficient to stop referrers). - Chrome respects both (same as Firefox). Maniphest Tasks: T4340 Differential Revision: https://secure.phabricator.com/D19144
2024-11-10 00:42:41 +01:00 · 2018-02-27 12:07:54 -08:00 · 2018-02-27 12:07:54 -08:00 · 9658249ac5
commit 9658249ac5
parent dba4c4bdf6
2 changed files with 3 additions and 1 deletions
--- a/src/aphront/response/AphrontResponse.php
+++ b/src/aphront/response/AphrontResponse.php
@ -92,6 +92,8 @@ abstract class AphrontResponse extends Phobject {
      $headers[] = array('Content-Security-Policy', $csp);
    }

+    $headers[] = array('Referrer-Policy', 'no-referrer');
+
    return $headers;
  }

--- a/src/view/page/PhabricatorBarePageView.php
+++ b/src/view/page/PhabricatorBarePageView.php
@ -119,7 +119,7 @@ class PhabricatorBarePageView extends AphrontPageView {
      'meta',
      array(
        'name' => 'referrer',
-        'content' => 'never',
+        'content' => 'no-referrer',
      ));

    $response = CelerityAPI::getStaticResourceResponse();