Use a system setting for the Referer policy (#33239)
This commit is contained in:
		
							parent
							
								
									7d52b24569
								
							
						
					
					
						commit
						2a369a8977
					
				|  | @ -7,6 +7,7 @@ module WebAppControllerConcern | |||
|     vary_by 'Accept, Accept-Language, Cookie' | ||||
| 
 | ||||
|     before_action :redirect_unauthenticated_to_permalinks! | ||||
|     before_action :set_referer_header | ||||
| 
 | ||||
|     content_security_policy do |p| | ||||
|       policy = ContentSecurityPolicy.new | ||||
|  | @ -41,4 +42,10 @@ module WebAppControllerConcern | |||
|       end | ||||
|     end | ||||
|   end | ||||
| 
 | ||||
|   protected | ||||
| 
 | ||||
|   def set_referer_header | ||||
|     response.set_header('Referrer-Policy', Setting.allow_referrer_origin ? 'origin' : 'same-origin') | ||||
|   end | ||||
| end | ||||
|  |  | |||
|  | @ -153,7 +153,7 @@ Rails.application.configure do | |||
|     'X-Frame-Options' => 'DENY', | ||||
|     'X-Content-Type-Options' => 'nosniff', | ||||
|     'X-XSS-Protection' => '0', | ||||
|     'Referrer-Policy' => ENV['ALLOW_REFERRER_ORIGIN'] == 'true' ? 'origin' : 'same-origin', | ||||
|     'Referrer-Policy' => 'same-origin', | ||||
|   } | ||||
| 
 | ||||
|   # TODO: Remove once devise-two-factor data migration complete | ||||
|  |  | |||
|  | @ -51,6 +51,7 @@ defaults: &defaults | |||
|   require_invite_text: false | ||||
|   backups_retention_period: 7 | ||||
|   captcha_enabled: false | ||||
|   allow_referer_origin: false | ||||
| 
 | ||||
| development: | ||||
|   <<: *defaults | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue