Always send a referrer-policy header #15673
Conversation
| @@ -287,6 +287,9 @@ public function render() | |||
| // don't send Referer-Header for outgoing links | |||
| if (!empty($this->useStrictReferrerPolicy)) { | |||
| Common::sendHeader('Referrer-Policy: same-origin'); | |||
| } else { | |||
| // always send explicit default header | |||
| Common::sendHeader('Referrer-Policy: no-referrer-when-downgrade'); | |||
There was a problem hiding this comment.
@Findus23 do you have maybe some thoughts on this?
There was a problem hiding this comment.
no-referrer-when-downgrade is the default when no header is sent, so sending it when we normally wouldn't send anything shouldn't change anything.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
There was a problem hiding this comment.
thanks @Findus23 be good if someone could still test the PR and have a look at tests. Not sure if I find time today.
There was a problem hiding this comment.
Aye it's the (implicit) default; this PR caters to our setup where we set a strict policy if nothing is explicitly set by the application (see this comment). Just in case you want to cater for our way of thinking (not sure if we're the outlier here or if more people might want to set their policies with setifempty).
|
Tests look fine and matomo seems to work fine locally for me, will merge. |
Suggested fix / improvement for #14764