remove duplicated and hard-coded referrer-policy
What does this MR do?
The tag like below is added to every page.
<meta content="origin-when-cross-origin" name="referrer">
Actual installation, including Docker image, automatically adds Referrer-Policy: strict-origin-when-cross-origin
by default, and if the site admin desires (like intranet sites whose internal URLs should not be exposed), it can be changed by configuratoin easily. This configuration is described in the document below.
https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-referrer-policy-header
Unfortunately, meta tag has stronger priority, so this meta tag actually disables this configuration. So even intranet site admin wants not the hostname to be exposed cannot control it.
Without this change, even if nginx['referrer_policy']
is set to same-origin
, image link will send Referer to external origin. After modifying /opt/gitlab/embedded/service/gitlab-rails/app/views/layouts/_head.html.haml
and restarting gitlab, image link will not send Referer when nginx['referrer_policy']
is set to same-origin
.
Since the same function is already decided by Referrer-Policy, I think this like should be removed.
Screenshots
Header in page source like below (copied and pasted).
<meta content="origin-when-cross-origin" name="referrer">
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team