diff options
author | Logan Hanks <logan@google.com> | 2018-11-01 14:46:05 -0700 |
---|---|---|
committer | David Pursehouse <dpursehouse@collab.net> | 2018-11-02 06:46:08 +0000 |
commit | e7fa1e7e44f63a8c9477ec5ed6be22bf24faf256 (patch) | |
tree | a19296ab0004a273e31159451080723df623b9cf /resources | |
parent | 537b7336fe7ec8b620d3cc3b62130d12ea108a2d (diff) |
Set "never" referrer policy
Linkification and plugins can cause requests originating from PolyGerrit
to third-party sites. Without this policy, such requests would include a
"Referer" header that potentially reveals sensitive information in
hostnames, project names, and filenames.
Unfortunately, different browsers implement different versions of the
standard. We want to use the legacy policy name "never" so browsers that
only implement the legacy standard will comply. We use a meta tag
instead of an HTTP response header because Chrome doesn't respect legacy
policies specified outside of meta tags.
Change-Id: Ibb601742121c6d0c9122e34dda2d447a068c0913
(cherry picked from commit dbde9244fefcbbdc948902eb57d9276804333f64)
Diffstat (limited to 'resources')
-rw-r--r-- | resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy index 816dd23988..78c868432e 100644 --- a/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy +++ b/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy @@ -30,6 +30,7 @@ <html lang="en">{\n} <meta charset="utf-8">{\n} <meta name="description" content="Gerrit Code Review">{\n} + <meta name="referrer" content="never">{\n} <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">{\n} <script> |