Harden Referrer-Policy Header

hellekin · October 22, 2018, 3:01pm

Feature

Make Referrer-Policy: strict-origin-when-cross-origin the default header.

Please change the default Referrer-Policy header to strict-origin-when-cross-origin that also covers the use-case of no-referrer-when-downgrade but works for e.g., comments embedding.

Situation

… show that “There was a duplicate Referrer-Policy header.”

Referrer-Policy strict-origin-when-cross-origin
Referrer-Policy no-referrer-when-downgrade

Only one of those should be set. 1 is not referenced in Discourse’s code, but it seems to me the legitimate one to use since it acts as a superset of 2. 2 is referenced in the sample nginx configuration file at
https://github.com/discourse/discourse/blob/99d1ded3b3a2767617bbee9824e93eb57f135864/config/nginx.sample.conf#L264

In discourse_docker:

root@ps /var/discourse # grep -i referrer templates/*.yml
templates/web.ssl.template.yml:     from: /add_header Referrer-Policy 'no-referrer-when-downgrade';/m
templates/web.ssl.template.yml:       add_header Referrer-Policy 'no-referrer-when-downgrade';

What to do with it?

change line 264 of config/nginx.sample.conf in discourse
update the web.ssl.template.yml to match the change in discourse_docker.

codinghorror · October 23, 2018, 10:20am

What are your feelings on this @sam?

sam · October 23, 2018, 11:17am

Does any of this relate to your CSP work @xrav3nz ?

hellekin · October 23, 2018, 12:50pm

My guess is that your front server is adding the extra header.

xrav3nz · October 23, 2018, 5:36pm

Nope, I double checked by looking at some instances without the latest CSP changes.

The duplicated (strict-origin-when-cross-origin) seems to be a Rails default

https://github.com/rails/rails/blob/14d3c7c2c9b89fe76a3677f99d102dd6ca729927/actionpack/lib/action_dispatch/railtie.rb#L33

hellekin · October 23, 2018, 9:35pm

Then removing line 264 should fix it?

sam · October 23, 2018, 9:36pm

Sure, might as well remove it… doing so now

https://github.com/discourse/discourse/commit/64aca0dc1be041459e4e8f70e031b44d3e6dbb73

codinghorror · October 23, 2018, 9:43pm

Excellent, good find @hellekin

hellekin · October 23, 2018, 9:44pm

@sam don’t forget discourse_docker

Thanks @codinghorror.

sam · October 23, 2018, 9:57pm

Thanks for reminding me

https://github.com/discourse/discourse_docker/commit/dcf44a6f57e4dd3d0f6f822aa6172e66991e74ea

sam · October 25, 2018, 7:00am

This topic was automatically closed after 33 hours. New replies are no longer allowed.

Topic		Replies	Views
Allow customization of Referrer-Policy Feature	3	1073	January 18, 2019
Set 'Referrer-Policy' => 'same-origin' Installation	4	1096	October 14, 2022
Why are custom header links 'overridden'? Bug custom-header-links	17	681	February 7, 2024
Brand Header links and icons settings now Object setting type Feature completed , brand-header	5	30	June 19, 2024
Issue with Relative Path Causing CORS Error on Discourse Sites Bug	6	65	October 29, 2024

Harden Referrer-Policy Header

Feature

Situation

What to do with it?

Related topics