Commit 97f7edf3 authored by Patricio Cano's avatar Patricio Cano

Merge branch 'fix-referer-origin' into 'master'

Fix referals for :back and relative URL installs.

`app/views/layouts/_head.html.haml` currently sets the referrer policy to "origin". This disables the use of `{ redirect_to :back }`, which is used frequently throughout GitLab, and also breaks relative URL installs for browsers that obey this policy (e.g., Chrome).

For example, using the "origin" policy the "Save Changes" button on the profile screen will (a) dump you at the GitLab home screen (which I can confirm on GitLab.com) or (b) dump you out of GitLab entirely for a relative URL install (which I can confirm on my local install).

The right policy is "origin-when-cross-origin", which disables HTTP_REFERER when coming from other sites but enables it internally. (https://w3c.github.io/webappsec-referrer-policy/) I can confirm that this fixes the problems with ":back" on my install.

See merge request !1505
parents 1bd4604a 5792eb95
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
%meta{charset: "utf-8"} %meta{charset: "utf-8"}
%meta{'http-equiv' => 'X-UA-Compatible', content: 'IE=edge'} %meta{'http-equiv' => 'X-UA-Compatible', content: 'IE=edge'}
%meta{content: "GitLab Community Edition", name: "description"} %meta{content: "GitLab Community Edition", name: "description"}
%meta{name: 'referrer', content: 'origin'} %meta{name: 'referrer', content: 'origin-when-cross-origin'}
%title= page_title %title= page_title
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment