redirect_to :back missing HTTP_REFERER, breaks relative installs

There seem to be a variety of places in the GitLab code that use { redirect_to :back }. My understanding (and I started reading Ruby thirty minutes ago) is that this is supposed to use HTTP_REFERER to return to the page that issued the request, usually a form. However, HTTP_REFERER is not being set, and so one of two undesirable things happens:

1. You end up at the root page, or
2. for a relative URL install, you end up off of the GitLab instance entirely.

The profile save operation is a good example. Navigate to "Profile Settings" and click "Save changes". Here's the relevant portion of the code in app/controllers/profile_controller.rb:

def update
    user_params.except!(:email) if @user.ldap_user?

    if @user.update_attributes(user_params)
      flash[:notice] = "Profile was successfully updated"
    else
      messages = @user.errors.full_messages.uniq.join('. ')
      flash[:alert] = "Failed to update profile. #{messages}"
    end

    respond_to do |format|
      format.html { redirect_to :back }
    end
  end

But instead you end up at the root of the website, which for a relative URL install is wrong. I can confirm this behavior on gitlab.com, where the same action takes me from gitlab.com/profile to gitlab.com. Note that the behavior is also inconsistent within the profile area itself. Some screens take you back correctly (e.g., "Profile Settings / Preferences"), others drop you at the root.

It seems to me that fixing this would either require (a) setting HTTP_REFERER properly or (b) removing the use of ":back". But again: I'm very new to Ruby so apologies if I missed something obvious. But it doesn't seem to be working correctly for me. (I've also triple-checked the relative URL instructions.)

So I've traced this to the use of <meta content='origin' name='referrer'> in the page header, which sets all referrals to the site root. Again: this not only breaks ":back" but also relative URL installs. The correct tag is <meta content='origin-when-crossorigin' name='referrer'>. I'll create a merge request.

mentioned in issue #2572 (closed)

@stanhu Your fix was included in 8.0.4, so I think we can close this?

It was @gchallen's fix, and yes, it looks like we can close this issue.

Status changed to closed

mentioned in issue #3122 (closed)

Apparently, Safari doesn't obey origin-when-crossorigin, and reverts to no referrer. This has the side effect of causing error 500s for every redirect :back call.

Perhaps the right fix is to disable referrer control in meta until these directives have better cross browser support?