Only send one Referrer-Policy header

We send Referrer-Policy from nginx based on user configuration. However, Rails also sends this header by default, with a value of `strict-origin-when-cross-origin`. We want to keep the default from Rails (for non-Omnibus or non-nginx installs), but only send a single value for this header in Omnibus nginx situations. Sending two values is not technically a problem, as long as the configured value comes last[1], but it is potentially confusing and order-dependent, so this makes it clearer with no change in behaviour. [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Specifying_a_fallback_policy

Only send one Referrer-Policy header
37ccbadd · Sean McGivern · 70fcbdba · 37ccbadd · 37ccbadd
Unverified Commit 37ccbadd authored 4 years ago by Sean McGivern
--- a/changelogs/unreleased/only-send-one-referrer-policy-header.yml
+++ b/changelogs/unreleased/only-send-one-referrer-policy-header.yml
+---
+title: Only send one Referrer-Policy header
+merge_request: 4584
+author:
+type: changed
--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
@@ -119,6 +119,9 @@ server {
  <% end %>
  
  <% if @referrer_policy %>
+  # Rails sets a default policy of strict-origin-when-cross-origin, so
+  # hide that and just send the one we've configured for nginx
+  proxy_hide_header Referrer-Policy;
  add_header Referrer-Policy <%= @referrer_policy %>;
  <% end %>