From 95fdba3568a0978b9401376cdca9cdd711abdb1a Mon Sep 17 00:00:00 2001 From: Mischa POSLAWSKY Date: Thu, 4 Feb 2021 02:31:48 +0100 Subject: [PATCH] page: referrer policy to include details cross-origin Default recently changed to strict-origin-when-cross-origin which hides path details in Referer. Disagree about this "security" and rather keep the page information for external sites. --- page.php | 1 + 1 file changed, 1 insertion(+) diff --git a/page.php b/page.php index 8a37533..9f9ce62 100644 --- a/page.php +++ b/page.php @@ -50,6 +50,7 @@ header(sprintf('Content-Security-Policy: %s', implode('; ', [ "base-uri 'self'", # only local pages "frame-ancestors 'none'", # prevent malicious embedding ]))); +header('Referrer-Policy: no-referrer-when-downgrade'); $Page->place += [ 'user' => $User->login ?: '', -- 2.30.0