Skip to content
Snippets Groups Projects
Commit 97f7edf3 authored by Patricio Cano's avatar Patricio Cano
Browse files

Merge branch 'fix-referer-origin' into 'master' 

Fix referals for :back and relative URL installs.

`app/views/layouts/_head.html.haml` currently sets the referrer policy to "origin". This disables the use of `{ redirect_to :back }`, which is used frequently throughout GitLab, and also breaks relative URL installs for browsers that obey this policy (e.g., Chrome).

For example, using the "origin" policy the "Save Changes" button on the profile screen will (a) dump you at the GitLab home screen (which I can confirm on GitLab.com) or (b) dump you out of GitLab entirely for a relative URL install (which I can confirm on my local install).

The right policy is "origin-when-cross-origin", which disables HTTP_REFERER when coming from other sites but enables it internally. (https://w3c.github.io/webappsec-referrer-policy/) I can confirm that this fixes the problems with ":back" on my install.

See merge request !1505
parents 1bd4604a 5792eb95
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/views/layouts/_head.html.haml
+ 1
1
View file @ 97f7edf3
@@ -3,7 +3,7 @@
%meta{charset: "utf-8"}
%meta{'http-equiv' => 'X-UA-Compatible', content: 'IE=edge'}
%meta{content: "GitLab Community Edition", name: "description"}
%meta{name: 'referrer', content: 'origin'}
%meta{name: 'referrer', content: 'origin-when-cross-origin'}
 
%title= page_title
 
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment