Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Referrer Policy header #249

Merged
merged 3 commits into from
Apr 27, 2016
Merged

Add support for Referrer Policy header #249

merged 3 commits into from
Apr 27, 2016

Conversation

tommy-gilligan
Copy link
Contributor

See #218 for initial discussion. Forgot to check browser support before going ahead with this 馃槥 Maybe useful at a later date.

@oreoshake
Copy link
Contributor

  1. Thank you! This is great. 鉂わ笍
  2. We can't apply this by default without a major version bump, in the meantime let's opt-out by default like we do for hpkp here. Even though I believe that 95% of web apps can default to this setting without issue, we just can't surprise that other 5% with broken behavior.
  3. @mikewest is the referrer-policy header still a thing? I don't see it anywhere under "referrer policy delivery"

@mikewest
Copy link

Deferring to @estark37 and @jeisinger, who are much more up to date on Referrer Policy than I am.

@estark37
Copy link

Referrer-Policy is a separate header, but isn't implemented in Chrome yet (and I don't think in FF either). We'll likely deprecate the referrer directive in CSP at some point after implementing the separate header.

@oreoshake
Copy link
Contributor

@tomgilligan sounds like referrer-policy will be a thing so if you can address # 2 in my previous comment we can merge this to be ready for the browser implementations.

thanks @mikewest and @estark37 馃樆

estark37
estark37 reviewed Apr 25, 2016
View reviewed changes
lib/secure_headers/railtie.rb
@@ -7,7 +7,7 @@ class Railtie < Rails::Railtie
'X-Permitted-Cross-Domain-Policies', 'X-Download-Options',
'X-Content-Type-Options', 'Strict-Transport-Security',
'Content-Security-Policy', 'Content-Security-Policy-Report-Only',
'Public-Key-Pins', 'Public-Key-Pins-Report-Only']
'Public-Key-Pins', 'Public-Key-Pins-Report-Only, Referrer-Policy']
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this supposed to be two separate strings instead of continuing the PKP-RO string?

'Public-Key-Pins-Report-Only', 'Referrer-Policy'

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good 馃憖, I didn't catch that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh! Soz

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, addressing # 2 and typo in railtie now.

@estark37
Copy link

Oh btw here's the link to the editor's draft that specs the separate header: https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header

@oreoshake oreoshake merged commit a6f8066 into github:master Apr 27, 2016
@oreoshake
Copy link
Contributor

Thanks @tomgilligan!

@reedloden reedloden mentioned this pull request May 4, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@tommy-gilligan @oreoshake @mikewest @estark37 @reedloden