New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a middleware for referrer policy #7346
Conversation
But it could be None
Chrome is going to make |
@@ -64,6 +64,8 @@ server { | |||
add_header X-RTD-Redirect $rtd_redirect always; | |||
set $cache_tag $upstream_http_cache_tag; | |||
add_header Cache-Tag $cache_tag always; | |||
set $referrer_policy $upstream_http_referrer_policy; | |||
add_header Referrer-Policy $referrer_policy always; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs a corresponding ops
change as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it does although the critical piece is getting the stricter policy for the dashboard.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a PR for the corresponding ops change.
@@ -11,6 +11,7 @@ class CommunityProxitoSettingsMixin: | |||
|
|||
ROOT_URLCONF = 'readthedocs.proxito.urls' | |||
USE_SUBDOMAIN = True | |||
SECURE_REFERRER_POLICY = "no-referrer-when-downgrade" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be honest, I think strict-origin-when-cross-origin
would be fine for docs sites as we don't really use the additional data as far as I'm aware but at least we have an easy upgrade path this way.
This sets a referrer policy with the value of
strict-origin-when-cross-origin
for the RTD dashboard. Proxito (which serves documentation sites) will useno-referrer-when-downgrade
so that API calls from docs sites to readthedocs.org will report the referrer.Setting the setting
SECURE_REFERRER_POLICY=None
will turn off the middleware.I didn't use the existing django-referrer-policy module because this new middleware is setup so that it can just be removed when we upgrade to Django 3. Referrer policy is a built-in feature of Django's SecurityMiddleware (which we use) in Django 3. The django-referrer-policy uses a different setting name than what Django uses in Django3.