Harden Referrer-Policy Header

Feature

Make Referrer-Policy: strict-origin-when-cross-origin the default header.

Please change the default Referrer-Policy header to strict-origin-when-cross-origin that also covers the use-case of no-referrer-when-downgrade but works for e.g., comments embedding.

Situation

… show that “There was a duplicate Referrer-Policy header.”

  1. Referrer-Policy strict-origin-when-cross-origin
  2. Referrer-Policy no-referrer-when-downgrade

Only one of those should be set. 1 is not referenced in Discourse’s code, but it seems to me the legitimate one to use since it acts as a superset of 2. 2 is referenced in the sample nginx configuration file at

In discourse_docker:

root@ps /var/discourse # grep -i referrer templates/*.yml
templates/web.ssl.template.yml:     from: /add_header Referrer-Policy 'no-referrer-when-downgrade';/m
templates/web.ssl.template.yml:       add_header Referrer-Policy 'no-referrer-when-downgrade';

What to do with it?

  1. change line 264 of config/nginx.sample.conf in discourse
  2. update the web.ssl.template.yml to match the change in discourse_docker.
1 Like

What are your feelings on this @sam?

Does any of this relate to your CSP work @xrav3nz ?

2 Likes

My guess is that your front server is adding the extra header.

Nope, I double checked by looking at some instances without the latest CSP changes.

The duplicated (strict-origin-when-cross-origin) seems to be a Rails default

4 Likes

Then removing line 264 should fix it?

Sure, might as well remove it… doing so now

2 Likes

Excellent, good find @hellekin :beers:

@sam don’t forget discourse_docker :slight_smile:

Thanks @codinghorror.

3 Likes

Thanks for reminding me :slight_smile:

2 Likes

This topic was automatically closed after 33 hours. New replies are no longer allowed.