Headers #365
Headers #365
Conversation
XhmikosR
commented
Dec 14, 2019
XhmikosR
commented
- Move referrer header in Hapi's security object
- Switch to blankie for CSP
| @@ -38,12 +51,16 @@ const REFERRER_HEADER = 'no-referrer, strict-origin-when-cross-origin'; | |||
| maxAge: 31536000, | |||
| preload: true | |||
| }, | |||
| referrer: 'strict-origin-when-cross-origin', | |||
There was a problem hiding this comment.
Before it was "no-referrer, strict-origin-when-origin", why the change?
There was a problem hiding this comment.
I couldn't find the exact thing we were using in the Hapi security options, so I went with the closest one... https://hapi.dev/api/?v=18.4.0#-routeoptionssecurity
There was a problem hiding this comment.
So, after reading the docs, it seems that no-referrer is a fallback for when browsers don't support strict-origin-when-origin. Unfortunately, it doesn't seem hapi allows us to do this:
[1] "referrer" must be a boolean
[2] "referrer" must be one of [no-referrer, no-referrer-when-downgrade, unsafe-url, same-origin, origin, strict-origin, origin-when-cross-origin, strict-origin-when-cross-origin]
We could try asking upstream for this, not sure if they'll accept this.
There was a problem hiding this comment.
I couldn't find any modern browser that doesn't support strict-origin-when-cross-origin.
I believe the policy was written when the spec wasn't completely implemented by Chrome.
There was a problem hiding this comment.
Then if you think it's OK I guess we can move with merging this PR?
XhmikosR
force-pushed
the
headers
branch
2 times, most recently
from
ba75ca1
to
303f1f6
Compare
|
@mozfreddyb I'd like to get this merged if you agree with the changes. |
