1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-30 02:32:42 +01:00

Add "Referrer-Policy: no-referrer" to standard HTTP headers

Summary:
Ref T4340. Some browsers respect this header and referrers are a plague upon the earth.

Also, upgrade "never" to the more modern value "no-referrer".

Test Plan:
In Safari, Firefox and Chrome, disabled `rel="noreferrer"` on links and generated a normal link to an external site. Then clicked it and checked if a referrer was sent.

  - Safari respects meta only, but "no-referrer" is fine.
  - Firefox respects both (either the header or meta tag are individually sufficient to stop referrers).
  - Chrome respects both (same as Firefox).

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19144
This commit is contained in:
epriestley 2018-02-27 12:07:54 -08:00
parent dba4c4bdf6
commit 9658249ac5
2 changed files with 3 additions and 1 deletions

View file

@ -92,6 +92,8 @@ abstract class AphrontResponse extends Phobject {
$headers[] = array('Content-Security-Policy', $csp); $headers[] = array('Content-Security-Policy', $csp);
} }
$headers[] = array('Referrer-Policy', 'no-referrer');
return $headers; return $headers;
} }

View file

@ -119,7 +119,7 @@ class PhabricatorBarePageView extends AphrontPageView {
'meta', 'meta',
array( array(
'name' => 'referrer', 'name' => 'referrer',
'content' => 'never', 'content' => 'no-referrer',
)); ));
$response = CelerityAPI::getStaticResourceResponse(); $response = CelerityAPI::getStaticResourceResponse();