Edgewall Software
Modify

Opened 3 years ago

Closed 3 years ago

#12830 closed enhancement (wontfix)

Add a Referrer-Policy response header

Reported by: anonymous Owned by:
Priority: normal Milestone:
Component: web frontend Version: 1.3dev
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Please add a Referrer-Policy: same-origin HTTP response header or a <meta name="referrer" content="same-origin"> element in the <head> section.

This policy instructs compatible web browsers to not send the HTTP Referer (sic) request header to external websites. Doing so can leak information about what issues the organization that is operating the bug tracker is currently worried about.

https://www.w3.org/TR/referrer-policy/ https://ctrl.blog/entry/private-bts-referrer-header

(All uses mentions of “Referer” and “Referrer” are spelled as intended in this ticket. The original HTTP specification made a spelling mistake, but all uses here are as intended.)

Attachments (0)

Change History (4)

comment:1 by Jun Omae, 3 years ago

Trac is used for both public site and private site. I cannot think all Trac administrators want to add the header. Also, You could always add any headers via Web server, e.g. Apache, Ngnix, etc.

comment:2 by Jun Omae, 3 years ago

Only Firefox 52 supports Referrer-Policy: same-origin.

See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Browser_compatibility

in reply to:  1 comment:3 by Ryan J Ollos, 3 years ago

Replying to Jun Omae:

Also, You could always add any headers via Web server, e.g. Apache, Ngnix, etc.

Yeah, the request seems rare enough that configuring through web server rather than Trac is the way to handle it.

comment:4 by Ryan J Ollos, 3 years ago

Resolution: wontfix
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none) to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.