mirror of
https://github.com/mastodon/mastodon.git
synced 2024-12-29 14:35:06 +01:00
Use a system setting for the Referer policy (#33239)
This commit is contained in:
parent
7d52b24569
commit
2a369a8977
@ -7,6 +7,7 @@ module WebAppControllerConcern
|
||||
vary_by 'Accept, Accept-Language, Cookie'
|
||||
|
||||
before_action :redirect_unauthenticated_to_permalinks!
|
||||
before_action :set_referer_header
|
||||
|
||||
content_security_policy do |p|
|
||||
policy = ContentSecurityPolicy.new
|
||||
@ -41,4 +42,10 @@ module WebAppControllerConcern
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
def set_referer_header
|
||||
response.set_header('Referrer-Policy', Setting.allow_referrer_origin ? 'origin' : 'same-origin')
|
||||
end
|
||||
end
|
||||
|
@ -153,7 +153,7 @@ Rails.application.configure do
|
||||
'X-Frame-Options' => 'DENY',
|
||||
'X-Content-Type-Options' => 'nosniff',
|
||||
'X-XSS-Protection' => '0',
|
||||
'Referrer-Policy' => ENV['ALLOW_REFERRER_ORIGIN'] == 'true' ? 'origin' : 'same-origin',
|
||||
'Referrer-Policy' => 'same-origin',
|
||||
}
|
||||
|
||||
# TODO: Remove once devise-two-factor data migration complete
|
||||
|
@ -51,6 +51,7 @@ defaults: &defaults
|
||||
require_invite_text: false
|
||||
backups_retention_period: 7
|
||||
captcha_enabled: false
|
||||
allow_referer_origin: false
|
||||
|
||||
development:
|
||||
<<: *defaults
|
||||
|
Loading…
Reference in New Issue
Block a user