From 3d33489a2aad0f9c8fb374c61f04c2fd0af9b036 Mon Sep 17 00:00:00 2001
From: Adam Johnson <me@adamj.eu>
Date: Wed, 5 Feb 2020 10:02:35 +0000
Subject: [PATCH] Fixed #31232 -- Changed default SECURE_REFERRER_POLICY to
 'same-origin'

---
 django/conf/global_settings.py          |  2 +-
 docs/ref/settings.txt                   |  6 +++++-
 docs/releases/3.1.txt                   | 13 +++++++++++++
 tests/project_template/test_settings.py |  1 +
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 09c9b95d26d5c..8bb59a403756e 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -637,6 +637,6 @@ def gettext_noop(s):
 SECURE_HSTS_PRELOAD = False
 SECURE_HSTS_SECONDS = 0
 SECURE_REDIRECT_EXEMPT = []
-SECURE_REFERRER_POLICY = None
+SECURE_REFERRER_POLICY = 'same-origin'
 SECURE_SSL_HOST = None
 SECURE_SSL_REDIRECT = False
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index b4a5bdc48f9b3..8c3f6f2b473f7 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2395,12 +2395,16 @@ from URL paths, so patterns shouldn't include them, e.g.
 
 .. versionadded:: 3.0
 
-Default: ``None``
+Default: ``'same-origin'``
 
 If configured, the :class:`~django.middleware.security.SecurityMiddleware` sets
 the :ref:`referrer-policy` header on all responses that do not already have it
 to the value provided.
 
+.. versionchanged:: 3.1
+
+    In older versions, the default value is ``None``.
+
 .. setting:: SECURE_SSL_HOST
 
 ``SECURE_SSL_HOST``
diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt
index 4a165156e13ef..34fbdd764ed09 100644
--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@@ -285,6 +285,17 @@ Requests and Responses
 * The new :meth:`.HttpRequest.accepts` method returns whether the request
   accepts the given MIME type according to the ``Accept`` HTTP header.
 
+Security
+~~~~~~~~
+
+* The :setting:`SECURE_REFERRER_POLICY` setting now defaults to
+  ``'same-origin'``. This means that
+  :class:`~django.middleware.security.SecurityMiddleware` will set the
+  :ref:`referrer-policy` header to ``same-origin`` on all responses that do not
+  already have it. This prevents the ``Referer`` header being sent to other
+  origins. To override this default, explicitly set
+  :setting:`SECURE_REFERRER_POLICY` to ``None``.
+
 Serialization
 ~~~~~~~~~~~~~
 
@@ -452,6 +463,8 @@ Miscellaneous
 * Providing a non-local remote field in the :attr:`.ForeignKey.to_field`
   argument now raises :class:`~django.core.exceptions.FieldError`.
 
+* :setting:`SECURE_REFERRER_POLICY` now defaults to ``'same-origin'``.
+
 .. _deprecated-features-3.1:
 
 Features deprecated in 3.1
diff --git a/tests/project_template/test_settings.py b/tests/project_template/test_settings.py
index 5617f4a9432e0..e8d466938dcbd 100644
--- a/tests/project_template/test_settings.py
+++ b/tests/project_template/test_settings.py
@@ -38,6 +38,7 @@ def test_middleware_headers(self):
             self.assertEqual(headers, [
                 b'Content-Length: 0',
                 b'Content-Type: text/html; charset=utf-8',
+                b'Referrer-Policy: same-origin',
                 b'X-Content-Type-Options: nosniff',
                 b'X-Frame-Options: DENY',
             ])