-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Referrer Policy header #249
Conversation
|
Deferring to @estark37 and @jeisinger, who are much more up to date on Referrer Policy than I am. |
Referrer-Policy is a separate header, but isn't implemented in Chrome yet (and I don't think in FF either). We'll likely deprecate the referrer directive in CSP at some point after implementing the separate header. |
@tomgilligan sounds like |
@@ -7,7 +7,7 @@ class Railtie < Rails::Railtie | |||
'X-Permitted-Cross-Domain-Policies', 'X-Download-Options', | |||
'X-Content-Type-Options', 'Strict-Transport-Security', | |||
'Content-Security-Policy', 'Content-Security-Policy-Report-Only', | |||
'Public-Key-Pins', 'Public-Key-Pins-Report-Only'] | |||
'Public-Key-Pins', 'Public-Key-Pins-Report-Only, Referrer-Policy'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this supposed to be two separate strings instead of continuing the PKP-RO string?
'Public-Key-Pins-Report-Only', 'Referrer-Policy'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good 👀, I didn't catch that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh! Soz
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, addressing # 2 and typo in railtie now.
Oh btw here's the link to the editor's draft that specs the separate header: https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header |
Thanks @tomgilligan! |
See #218 for initial discussion. Forgot to check browser support before going ahead with this 😞 Maybe useful at a later date.