New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
more private Referrer-Policy: use strict-origin-when-cross-origin #17382
Conversation
Hard to say if it would break anything. I remember #14482 broke the overlay when we tried various different settings earlier and we now worked around it with https://github.com/matomo-org/matomo/pull/14766/files Generally sounds good to do this 👍 FYI seems it's not supported by IE11 And I suppose nothing changes when someone switches from HTTP to HTTPS? Eg when logging in then we don't look at the full referrer? not sure if something behaves different there maybe (didn't check in detail) |
In the code we have the comment |
This issue is in "needs review" but there has been no activity for 7 days. ping @tsteur @sgiehl @diosmosis @flamisz |
Maybe we could merge this quite early after a release, so there is a longer time to notice if this breaks something in a subtil way. |
Sounds good to merge this early (cc @tsteur) |
related to #17381, #15673 and matomo-org/matomo-nginx#61
At the moment we are sending a less private Referrer-Policy than the one that would be used if we didn't send one.
So now
(as long as
$this->useStrictReferrerPolicy
is not set in which case nothing is sent to other origins)Review