Set 'Referrer-Policy' => 'same-origin'

Support Self-hosting
1

Hello there,

I want to set the 'Referrer-Policy header to ‘same-origin’. This can’t be done via nginx, because it’s set via Redis/Rails.

Default seems:
Referrer-Policy' => 'strict-origin-when-cross-origin'

Is it possible to change this to:
Referrer-Policy' => 'same-origin'

I could not find the string within/outside the container. :roll_eyes:

2

Yeah. Stupid. I was not searching at the right place.

I found many entries of
Referrer-Policy' => 'strict-origin-when-cross-origin'

Here is a list (grep strict-origin-when-cross-origin /var/www/discourse/ -R):

  • /var/www/discourse/vendor/bundle/ruby/2.7.0/gems/rack-protection-2.2.2/lib/rack/protection/referrer_policy.rb: # referrer_policy:: The policy to use (default: ‘strict-origin-when-cross-origin’)
  • /var/www/discourse/vendor/bundle/ruby/2.7.0/gems/rack-protection-2.2.2/lib/rack/protection/referrer_policy.rb: default_options :referrer_policy => ‘strict-origin-when-cross-origin’
  • /var/www/discourse/vendor/bundle/ruby/2.7.0/gems/railties-7.0.3.1/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_7_0.rb.tt:# “Referrer-Policy” => “strict-origin-when-cross-origin”
  • /var/www/discourse/vendor/bundle/ruby/2.7.0/gems/railties-7.0.3.1/lib/rails/application/configuration.rb: “Referrer-Policy” => “strict-origin-when-cross-origin”
  • /var/www/discourse/vendor/bundle/ruby/2.7.0/gems/actionpack-7.0.3.1/lib/action_dispatch/railtie.rb: “Referrer-Policy” => “strict-origin-when-cross-origin”
  • /var/www/discourse/vendor/bundle/ruby/2.7.0/gems/rack-protection-3.0.2/lib/rack/protection/referrer_policy.rb: # referrer_policy:: The policy to use (default: ‘strict-origin-when-cross-origin’)
  • /var/www/discourse/vendor/bundle/ruby/2.7.0/gems/rack-protection-3.0.2/lib/rack/protection/referrer_policy.rb: default_options referrer_policy: ‘strict-origin-when-cross-origin’
  • /var/www/discourse/config/initializers/new_framework_defaults_7_0.rb: “Referrer-Policy” => “strict-origin-when-cross-origin”
  • grep: /var/www/discourse/tmp/cache/bootsnap/compile-cache-iseq/f6/fc077900e2584e: binary file matches
  • grep: /var/www/discourse/tmp/cache/bootsnap/compile-cache-iseq/8a/029cf0d9c06e6d: binary file matches
  • grep: /var/www/discourse/tmp/cache/bootsnap/compile-cache-iseq/25/d90a345e4f734e: binary file matches

I really don’t know where to set same-origin. Any hints?

3

Very nasty hack here but

you could resolve this in nginx by adding a proxy_hide_header and follow it with your own add_header

4

Yeah nasty hack. Don’t like that. :wink:

5

Any help Herr where is the right place that is used in production?

6

A slightly less nasty hack is putting this in the HTML head part of a custom theme component:

<meta name="referrer" content="same-origin">

That doesn’t remove the HTTP header, and I couldn’t find any definitive info if the HTTP header overwrites the HTML meta tag or the other way around, but at least according to a quick test with whatsmyreferer.com, it seems to work: no more referrer header is sent on outgoing links.