Default recently changed to strict-origin-when-cross-origin which hides path
details in Referer. Disagree about this "security" and rather keep the page
information for external sites.
"base-uri 'self'", # only local pages
"frame-ancestors 'none'", # prevent malicious embedding
])));
"base-uri 'self'", # only local pages
"frame-ancestors 'none'", # prevent malicious embedding
])));
+header('Referrer-Policy: no-referrer-when-downgrade');
$Page->place += [
'user' => $User->login ?: '',
$Page->place += [
'user' => $User->login ?: '',