Headers #365
Conversation
XhmikosR
commented
Dec 14, 2019
- Move referrer header in Hapi's security object
- Switch to blankie for CSP
@@ -38,12 +51,16 @@ const REFERRER_HEADER = 'no-referrer, strict-origin-when-cross-origin'; | |||
maxAge: 31536000, | |||
preload: true | |||
}, | |||
referrer: 'strict-origin-when-cross-origin', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before it was "no-referrer, strict-origin-when-origin", why the change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't find the exact thing we were using in the Hapi security options, so I went with the closest one... https://hapi.dev/api/?v=18.4.0#-routeoptionssecurity
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, after reading the docs, it seems that no-referrer
is a fallback for when browsers don't support strict-origin-when-origin
. Unfortunately, it doesn't seem hapi allows us to do this:
[1] "referrer" must be a boolean
[2] "referrer" must be one of [no-referrer, no-referrer-when-downgrade, unsafe-url, same-origin, origin, strict-origin, origin-when-cross-origin, strict-origin-when-cross-origin]
We could try asking upstream for this, not sure if they'll accept this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't find any modern browser that doesn't support strict-origin-when-cross-origin.
I believe the policy was written when the spec wasn't completely implemented by Chrome.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then if you think it's OK I guess we can move with merging this PR?
ba75ca1
to
303f1f6
Compare
@mozfreddyb I'd like to get this merged if you agree with the changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's do this :)