Set "never" referrer policy

Linkification and plugins can cause requests originating from PolyGerrit to third-party sites. Without this policy, such requests would include a "Referer" header that potentially reveals sensitive information in hostnames, project names, and filenames. Unfortunately, different browsers implement different versions of the standard. We want to use the legacy policy name "never" so browsers that only implement the legacy standard will comply. We use a meta tag instead of an HTTP response header because Chrome doesn't respect legacy policies specified outside of meta tags. Change-Id: Ibb601742121c6d0c9122e34dda2d447a068c0913
2018-11-01 14:46:05 -07:00 · 2018-11-01 14:46:05 -07:00 · dbde9244fe
parent 97894c1588
commit dbde9244fe
1 changed files with 1 additions and 0 deletions
--- a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
+++ b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
@ -30,6 +30,7 @@
  <html lang="en">{\n}
  <meta charset="utf-8">{\n}
  <meta name="description" content="Gerrit Code Review">{\n}
+  <meta name="referrer" content="never">{\n}
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">{\n}

  <script>