cadence/breezewiki
2
4
Fork 4
Code Issues Pull requests 1 Releases Wiki Activity

Set Referrer-Policy to no-referrer #6

Merged
cadence merged 1 commit from blankie/breezewiki:referrer-policy into main 2022-10-09 10:45:48 +00:00
Conversation 1 Commits 1 Files changed 4 +22 -13
blankie commented 2022-10-09 03:57:45 +00:00
Contributor
Copy link

Fandom sends a fake 404 to media if there's a Referer header that has an origin that's not Fandom. However, we can choose not to send the header by setting Referrer-Policy. See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Fandom sends a fake 404 to media if there's a Referer header that has an origin that's not Fandom. However, we can choose not to send the header by setting Referrer-Policy. See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
blankie added 1 commit 2022-10-09 03:57:45 +00:00 
Fandom sends a fake 404 to media if there's a Referer header that has an origin
that's not Fandom. However, we can choose not to send the header by setting
Referrer-Policy. See also:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
cadence merged commit adc4b47b83 into main 2022-10-09 10:45:48 +00:00
cadence commented 2022-10-09 10:48:29 +00:00
Owner
Copy link

Thanks! Your commit didn't correct the original problem because referrer-policy needed to also be applied to page-proxy. This is because the stylesheet is considered to be the initiator for some requests such as the page background image when strict_proxy is true. When I also added the header to the proxied stylesheet, it corrected the original problem.

Thanks for introducing me to referrer-policy, I tried to find something like this before but evidently I missed it. Feel free to further extend always-headers with helpful security headers if you come across any more.

Thanks to 5813c492 everything I mentioned here should be good now. Pushing to breezewiki.com shortly.

Thanks! Your commit didn't correct the original problem because referrer-policy needed to also be applied to page-proxy. This is because the _stylesheet_ is considered to be the initiator for some requests such as the page background image when strict_proxy is true. When I also added the header to the proxied stylesheet, it corrected the original problem. Thanks for introducing me to referrer-policy, I tried to find something like this before but evidently I missed it. Feel free to further extend `always-headers` with helpful security headers if you come across any more. Thanks to 5813c492 everything I mentioned here should be good now. Pushing to breezewiki.com shortly.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: cadence/breezewiki#6
No description provided.
Delete branch "blankie/breezewiki:referrer-policy"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?