diff options
| author | Patricio Cano <patricio@gitlab.com> | 2015-10-05 16:45:35 +0000 |
|---|---|---|
| committer | Patricio Cano <patricio@gitlab.com> | 2015-10-05 16:45:35 +0000 |
| commit | 97f7edf37a7c3c17d5038a6cb83d007aa026664c (patch) | |
| tree | f8e0b1a65ce4dd352e44cd3a2c3658e08c80cd86 | |
| parent | 1bd4604ae5b77900a3fa5b9c388e5aeacf05af5d (diff) | |
| parent | 5792eb954433a661bf1cf6ef17f849058dca5bc7 (diff) | |
| download | gitlab-ce-97f7edf37a7c3c17d5038a6cb83d007aa026664c.tar.gz | |
Merge branch 'fix-referer-origin' into 'master'
Fix referals for :back and relative URL installs.
`app/views/layouts/_head.html.haml` currently sets the referrer policy to "origin". This disables the use of `{ redirect_to :back }`, which is used frequently throughout GitLab, and also breaks relative URL installs for browsers that obey this policy (e.g., Chrome).
For example, using the "origin" policy the "Save Changes" button on the profile screen will (a) dump you at the GitLab home screen (which I can confirm on GitLab.com) or (b) dump you out of GitLab entirely for a relative URL install (which I can confirm on my local install).
The right policy is "origin-when-cross-origin", which disables HTTP_REFERER when coming from other sites but enables it internally. (https://w3c.github.io/webappsec-referrer-policy/) I can confirm that this fixes the problems with ":back" on my install.
See merge request !1505
| -rw-r--r-- | app/views/layouts/_head.html.haml | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml index c3b137e3ddf..74174a72f5a 100644 --- a/app/views/layouts/_head.html.haml +++ b/app/views/layouts/_head.html.haml @@ -3,7 +3,7 @@ %meta{charset: "utf-8"} %meta{'http-equiv' => 'X-UA-Compatible', content: 'IE=edge'} %meta{content: "GitLab Community Edition", name: "description"} - %meta{name: 'referrer', content: 'origin'} + %meta{name: 'referrer', content: 'origin-when-cross-origin'} %title= page_title |