Use a system setting for the Referer policy (#33239)

2024-12-10 14:16:52 +01:00
parent 7d52b24569
commit 2a369a8977
3 changed files with 9 additions and 1 deletions
--- a/app/controllers/concerns/web_app_controller_concern.rb
+++ b/app/controllers/concerns/web_app_controller_concern.rb
@@ -7,6 +7,7 @@ module WebAppControllerConcern
    vary_by 'Accept, Accept-Language, Cookie'

    before_action :redirect_unauthenticated_to_permalinks!
+    before_action :set_referer_header

    content_security_policy do |p|
      policy = ContentSecurityPolicy.new
@@ -41,4 +42,10 @@ module WebAppControllerConcern
      end
    end
  end
+
+  protected
+
+  def set_referer_header
+    response.set_header('Referrer-Policy', Setting.allow_referrer_origin ? 'origin' : 'same-origin')
+  end
 end