Set "never" referrer policy

Linkification and plugins can cause requests originating from PolyGerrit to third-party sites. Without this policy, such requests would include a "Referer" header that potentially reveals sensitive information in hostnames, project names, and filenames. Unfortunately, different browsers implement different versions of the standard. We want to use the legacy policy name "never" so browsers that only implement the legacy standard will comply. We use a meta tag instead of an HTTP response header because Chrome doesn't respect legacy policies specified outside of meta tags. Change-Id: Ibb601742121c6d0c9122e34dda2d447a068c0913 (cherry picked from commit dbde9244fefcbbdc948902eb57d9276804333f64)
author: Logan Hanks <logan@google.com> 2018-11-01 14:46:05 -0700
committer: David Pursehouse <dpursehouse@collab.net> 2018-11-02 06:46:08 +0000
commit: e7fa1e7e44f63a8c9477ec5ed6be22bf24faf256 (patch)
tree: a19296ab0004a273e31159451080723df623b9cf /resources
parent: 537b7336fe7ec8b620d3cc3b62130d12ea108a2d (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
index 816dd23988..78c868432e 100644
--- a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
+++ b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
@@ -30,6 +30,7 @@
   <html lang="en">{\n}
   <meta charset="utf-8">{\n}
   <meta name="description" content="Gerrit Code Review">{\n}
+  <meta name="referrer" content="never">{\n}
   <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">{\n}
 
   <script>
author	Logan Hanks <logan@google.com>	2018-11-01 14:46:05 -0700
committer	David Pursehouse <dpursehouse@collab.net>	2018-11-02 06:46:08 +0000
commit	e7fa1e7e44f63a8c9477ec5ed6be22bf24faf256 (patch)
tree	a19296ab0004a273e31159451080723df623b9cf /resources
parent	537b7336fe7ec8b620d3cc3b62130d12ea108a2d (diff)