Add a middleware for referrer policy #7346
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
But it could be None
|
Chrome is going to make |
ericholscher
approved these changes
Aug 4, 2020
| @@ -64,6 +64,8 @@ server { | |||
| add_header X-RTD-Redirect $rtd_redirect always; | |||
| set $cache_tag $upstream_http_cache_tag; | |||
| add_header Cache-Tag $cache_tag always; | |||
| set $referrer_policy $upstream_http_referrer_policy; | |||
| add_header Referrer-Policy $referrer_policy always; | |||
There was a problem hiding this comment.
This needs a corresponding ops change as well.
There was a problem hiding this comment.
Yes it does although the critical piece is getting the stricter policy for the dashboard.
There was a problem hiding this comment.
I added a PR for the corresponding ops change.
| @@ -11,6 +11,7 @@ class CommunityProxitoSettingsMixin: | |||
|
|
|||
| ROOT_URLCONF = 'readthedocs.proxito.urls' | |||
| USE_SUBDOMAIN = True | |||
| SECURE_REFERRER_POLICY = "no-referrer-when-downgrade" | |||
There was a problem hiding this comment.
To be honest, I think strict-origin-when-cross-origin would be fine for docs sites as we don't really use the additional data as far as I'm aware but at least we have an easy upgrade path this way.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This sets a referrer policy with the value of
strict-origin-when-cross-originfor the RTD dashboard. Proxito (which serves documentation sites) will useno-referrer-when-downgradeso that API calls from docs sites to readthedocs.org will report the referrer.Setting the setting
SECURE_REFERRER_POLICY=Nonewill turn off the middleware.I didn't use the existing django-referrer-policy module because this new middleware is setup so that it can just be removed when we upgrade to Django 3. Referrer policy is a built-in feature of Django's SecurityMiddleware (which we use) in Django 3. The django-referrer-policy uses a different setting name than what Django uses in Django3.