Referrer-Policy header is added twice

Summary

When making requests to https://gitlab.com the response returned contains 2 Referrer-Policy headers set with the same value (strict-origin-when-cross-origin).

Steps to reproduce

1. Use curl to make a request to https://gitlab.com and inspect headers returned: curl -v https://gitlab.com
2. Response:

* Rebuilt URL to: https://gitlab.com/
*   Trying 35.231.145.151...
* TCP_NODELAY set
* Connected to gitlab.com (35.231.145.151) port 443 (#0)
* schannel: SSL/TLS connection with gitlab.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 175 bytes...
* schannel: sent initial handshake data: sent 175 bytes
* schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4022
* schannel: encrypted data buffer: offset 4022 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
* schannel: encrypted data got 876
* schannel: encrypted data buffer: offset 4898 length 5046
* schannel: sending next handshake data: sending 126 bytes...
* schannel: SSL/TLS connection with gitlab.com port 443 (step 2/3)
* schannel: encrypted data got 242
* schannel: encrypted data buffer: offset 242 length 5046
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with gitlab.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET / HTTP/1.1
> Host: gitlab.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 1784
* schannel: encrypted data buffer: offset 1784 length 103424
* schannel: decrypted data length: 1755
* schannel: decrypted data added: 1755
* schannel: decrypted data cached: offset 1755 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 1755 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 1755
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 302 Found
< Server: nginx
< Date: Wed, 25 Sep 2019 08:56:45 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 91
< Cache-Control: no-cache
< Content-Security-Policy: connect-src 'self' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net wss://gitlab.com https://sentry.gitlab.net https://customers.gitlab.com https://snowplow.trx.gitlab.net; frame-ancestors 'self'; frame-src 'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://*.codesandbox.io; img-src * data: blob:; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com 'nonce-PzDoWrhXvte/oUpg5Yh/VA=='; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net; worker-src https://assets.gitlab-static.net https://gl-canary.freetls.fastly.net https://gitlab.com blob:
< Location: https://about.gitlab.com/
< Referrer-Policy: strict-origin-when-cross-origin
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Frame-Options: DENY
< X-Permitted-Cross-Domain-Policies: none
< X-Request-Id: dOzrFFWcTf4
< X-Runtime: 0.015471
< X-Ua-Compatible: IE=edge
< X-Xss-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000
< Referrer-Policy: strict-origin-when-cross-origin
< GitLab-LB: fe-17-lb-gprd
< GitLab-SV: web-34-sv-gprd
<
<html><body>You are being <a href="https://about.gitlab.com/">redirected</a>.</body></html>* Connection #0 to host gitlab.com left intact

Referrer-Policy: strict-origin-when-cross-origin is added twice.

Configuration used

N/A

Current behavior

The Referrer-Policy header is added twice.

Expected behavior

The Referrer-Policy header is only added once.

Versions

GitLab.com is running version 12.3.0-pre

Relevant logs

N/A