Referrer-Policy: strict-origin-when-cross-origin the default header.
Please change the default
Referrer-Policy header to
strict-origin-when-cross-origin that also covers the use-case of
no-referrer-when-downgrade but works for e.g., comments embedding.
… show that “There was a duplicate Referrer-Policy header.”
Only one of those should be set. 1 is not referenced in Discourse’s code, but it seems to me the legitimate one to use since it acts as a superset of 2. 2 is referenced in the sample nginx configuration file at
root@ps /var/discourse # grep -i referrer templates/*.yml templates/web.ssl.template.yml: from: /add_header Referrer-Policy 'no-referrer-when-downgrade';/m templates/web.ssl.template.yml: add_header Referrer-Policy 'no-referrer-when-downgrade';
What to do with it?
- change line 264 of
- update the
web.ssl.template.ymlto match the change in discourse_docker.