Skip to content

remove duplicated and hard-coded referrer-policy

nhirokinet requested to merge (removed):patch-39 into master

What does this MR do?

The tag like below is added to every page.

<meta content="origin-when-cross-origin" name="referrer">

Actual installation, including Docker image, automatically adds Referrer-Policy: strict-origin-when-cross-origin by default, and if the site admin desires (like intranet sites whose internal URLs should not be exposed), it can be changed by configuratoin easily. This configuration is described in the document below.

https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-referrer-policy-header

Unfortunately, meta tag has stronger priority, so this meta tag actually disables this configuration. So even intranet site admin wants not the hostname to be exposed cannot control it.

Without this change, even if nginx['referrer_policy'] is set to same-origin, image link will send Referer to external origin. After modifying /opt/gitlab/embedded/service/gitlab-rails/app/views/layouts/_head.html.haml and restarting gitlab, image link will not send Referer when nginx['referrer_policy'] is set to same-origin.

Since the same function is already decided by Referrer-Policy, I think this like should be removed.

Screenshots

Header in page source like below (copied and pasted).

<meta content="origin-when-cross-origin" name="referrer">

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by nhirokinet

Merge request reports