Skip to content

Only send one Referrer-Policy header

Sean McGivern requested to merge only-send-one-referrer-policy-header into master

What does this MR do?

We send Referrer-Policy from nginx based on user configuration. However, Rails also sends this header by default, with a value of strict-origin-when-cross-origin.

We want to keep the default from Rails (for non-Omnibus or non-nginx installs), but only send a single value for this header in Omnibus nginx situations. Sending two values is not technically a problem, as long as the configured value comes last1, but it is potentially confusing and order-dependent, so this makes it clearer with no change in behaviour.

This is a companion to gitlab!26065 (merged), but they can be merged in any order.

I tested this locally just by setting my referrer policy (in Omnibus) to origin-when-cross-origin, and I see:

$ curl -sI http://localhost:5678/help | grep -i Referrer-Policy
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: origin-when-cross-origin

With this change, I see:

$ curl -sI http://localhost:5678/help | grep -i Referrer-Policy
Referrer-Policy: origin-when-cross-origin

Closes gitlab#32766 (closed).

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
  • trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for the GitLab Chart opened
Edited by Ian Baum

Merge request reports

Loading