Allow customization of Referrer-Policy

I was researching on how to customize the Referrer-Policy header and came across a previous feature request Harden Referrer-Policy Header. That didn’t really address allowing the discourse administrator to customize it though. The result of that ticket was that duplicate header was dropped from the nginx config and is now being handle in rails.

I think this feature would be useful for installations that want more stringent control of that header and aligns nicely with the recent CSP additions added to the GUI. Or maybe disable it in Rails and then allow over-ride in nginx so it’s easier for administrators to modify without requiring someone to wire up GUI changes?

I don’t see much value in the downgrade case. The default is safe as-is.

Our team wanted same-origin on this setting. Which maybe that’s a unique requirement on our end that many people don’t care much for changing :man_shrugging:

I understand if its not a team priority to implement but figured - it doesn’t hurt to ask :rose:

So if anyone else is reading this… I ended up having to do something like this in my config. It looks like the duplicate header was actually in my container still. I’m kind of perplexed why its still there but I didn’t have time to dig. Was easier to just remove it.

hooks:
  before_bundle_exec:
    - exec:
        cmd:
          - sed -i '/add_header Referrer-Policy/d' /etc/nginx/conf.d/discourse.conf
   after_bundle_exec:
    - exec:
        cmd:
          - sed -i 's/"Referrer-Policy"\ =>\ "strict-origin-when-cross-origin"/"Referrer-Policy" => "same-origin"/g' $(find /var/www -type f -name 'railtie.rb' | grep action_dispatch)
1 Like