Fix referals for :back and relative URL installs.

app/views/layouts/_head.html.haml currently sets the referrer policy to "origin". This disables the use of { redirect_to :back }, which is used frequently throughout GitLab, and also breaks relative URL installs for browsers that obey this policy (e.g., Chrome).

For example, using the "origin" policy the "Save Changes" button on the profile screen will (a) dump you at the GitLab home screen (which I can confirm on GitLab.com) or (b) dump you out of GitLab entirely for a relative URL install (which I can confirm on my local install).

The right policy is "origin-when-cross-origin", which disables HTTP_REFERER when coming from other sites but enables it internally. (https://w3c.github.io/webappsec-referrer-policy/) I can confirm that this fixes the problems with ":back" on my install.

Thanks for doing this research! I think this is the right behavior. @patricio, do you agree?

mentioned in issue #2572 (closed)

@stanhu yes, I agree. This is the right behavior.

@stanhu before I merge this, shouldn't this include a changelog item?

@patricio: Yes. @gchallen, could you add a CHANGELOG item? Thank you.

mentioned in issue #1020 (closed)

Don't worry about the changelog entry, I'll add it when I cherry-pick for patch.

Status changed to merged

@rspeicher thanks. I merged it. Please add it to 8.0.4.

mentioned in commit 97f7edf3

Picked into 8-0-stable.

mentioned in issue #1020 (closed)