Opened 7 years ago
Closed 7 years ago
#12830 closed enhancement (wontfix)
Add a Referrer-Policy response header
| Reported by: | anonymous | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | web frontend | Version: | 1.3dev |
| Severity: | normal | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Please add a Referrer-Policy: same-origin HTTP response header or a <meta name="referrer" content="same-origin"> element in the <head> section.
This policy instructs compatible web browsers to not send the HTTP Referer (sic) request header to external websites. Doing so can leak information about what issues the organization that is operating the bug tracker is currently worried about.
https://www.w3.org/TR/referrer-policy/ https://ctrl.blog/entry/private-bts-referrer-header
(All uses mentions of “Referer” and “Referrer” are spelled as intended in this ticket. The original HTTP specification made a spelling mistake, but all uses here are as intended.)
Attachments (0)
Change History (4)
follow-up: 3 comment:1 by , 7 years ago
comment:2 by , 7 years ago
Only Firefox 52 supports Referrer-Policy: same-origin.
See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Browser_compatibility
comment:3 by , 7 years ago
Replying to Jun Omae:
Also, You could always add any headers via Web server, e.g. Apache, Ngnix, etc.
Yeah, the request seems rare enough that configuring through web server rather than Trac is the way to handle it.
comment:4 by , 7 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Trac is used for both public site and private site. I cannot think all Trac administrators want to add the header. Also, You could always add any headers via Web server, e.g. Apache, Ngnix, etc.