Skip to content

Referrer-Policy: same-origin#6303

Merged
Alkarex merged 5 commits intoFreshRSS:edgefrom
math-GH:Security-header-Referrer-Policy
Apr 1, 2025
Merged

Referrer-Policy: same-origin#6303
Alkarex merged 5 commits intoFreshRSS:edgefrom
math-GH:Security-header-Referrer-Policy

Conversation

@math-GH
Copy link
Contributor

@math-GH math-GH commented Apr 14, 2024

@math-GH math-GH added this to the 1.24.0 milestone Apr 14, 2024
@Alkarex
Copy link
Member

Alkarex commented Apr 14, 2024

  1. I am not sure disabling Referer is a good idea for the ecosystem. The default behaviour (strict-origin-when-cross-origin) seems better to me
  2. In this PR, the main place where this would be relevant (the main view) is not addressed for setups not using our default .htaccess (e.g. people insisting on using nginx). We should compare with the way we define Content-Security-Policy in PHP

@Alkarex Alkarex modified the milestones: 1.24.0, 1.25.0 Apr 15, 2024
@math-GH
Copy link
Contributor Author

math-GH commented Apr 15, 2024
edited
Loading

  1. I am not sure disabling Referer is a good idea for the ecosystem. The default behaviour (strict-origin-when-cross-origin) seems better to me

I personally prefer same-origin because of this:
grafik

same-origin keeps my very private used server and its URL privat. The target server thinks I am visiting the article directly.
strict-origin-when-cross-origin will tell the target server where I come from.

2. In this PR, the main place where this would be relevant (the main view) is not addressed for setups not using our default `.htaccess` (e.g. people insisting on using nginx). We should compare with the way we define `Content-Security-Policy` in PHP

I took the same lines of Content-Security-Policy in PHP and .htaccess
Have I have overseen a line?

@Frenzie
Copy link
Member

Frenzie commented Apr 15, 2024
edited
Loading

Perhaps it makes sense in config.default.php or similar? I'm probably more sympathetic to the no referrer point of view myself, but it's definitely a thing where you can imagine people wanting more of a "website" behavior than an "app" behavior.

@math-GH math-GH marked this pull request as draft May 23, 2024 19:17
@Alkarex Alkarex modified the milestones: 1.25.0, 1.26.0 Nov 30, 2024
@Alkarex Alkarex modified the milestones: 1.26.0, 1.27.0 Feb 6, 2025
@Alkarex Alkarex modified the milestones: 1.27.0, 1.26.2 Apr 1, 2025
@Alkarex Alkarex marked this pull request as ready for review April 1, 2025 10:21
@Alkarex
Copy link
Member

Alkarex commented Apr 1, 2025

Sorry for the delay 🙈 Time is flying...

@Alkarex Alkarex merged commit 1f624bc into FreshRSS:edge Apr 1, 2025
1 check passed
@Alkarex
Copy link
Member

Alkarex commented Apr 1, 2025
edited
Loading

Doh, I forgot we already had:

Alkarex added a commit to Alkarex/FreshRSS that referenced this pull request Apr 1, 2025
@Alkarex
Partial revert Referrer-Policy
6ab57c1 
FreshRSS#6303 (comment)
Was already implemented conditionally
FreshRSS#1198
@Alkarex Alkarex mentioned this pull request Apr 1, 2025
Merged
Alkarex added a commit that referenced this pull request Apr 1, 2025
@Alkarex
Partial revert Referrer-Policy (#7478)
aa3867a 
#6303 (comment)
Was already implemented conditionally
#1198
@math-GH math-GH deleted the Security-header-Referrer-Policy branch May 3, 2025 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Security 🛡️

Projects

None yet

Milestone

1.26.2

Development

Successfully merging this pull request may close these issues.

3 participants

@math-GH @Alkarex @Frenzie