Use a system setting for the Referer policy (#33239)

This commit is contained in:
Renaud Chaput 2024-12-10 14:16:52 +01:00 committed by GitHub
parent 7d52b24569
commit 2a369a8977
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 9 additions and 1 deletions

View File

@ -7,6 +7,7 @@ module WebAppControllerConcern
vary_by 'Accept, Accept-Language, Cookie'
before_action :redirect_unauthenticated_to_permalinks!
before_action :set_referer_header
content_security_policy do |p|
policy = ContentSecurityPolicy.new
@ -41,4 +42,10 @@ module WebAppControllerConcern
end
end
end
protected
def set_referer_header
response.set_header('Referrer-Policy', Setting.allow_referrer_origin ? 'origin' : 'same-origin')
end
end

View File

@ -153,7 +153,7 @@ Rails.application.configure do
'X-Frame-Options' => 'DENY',
'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '0',
'Referrer-Policy' => ENV['ALLOW_REFERRER_ORIGIN'] == 'true' ? 'origin' : 'same-origin',
'Referrer-Policy' => 'same-origin',
}
# TODO: Remove once devise-two-factor data migration complete

View File

@ -51,6 +51,7 @@ defaults: &defaults
require_invite_text: false
backups_retention_period: 7
captcha_enabled: false
allow_referer_origin: false
development:
<<: *defaults