Merge branch 'fix-referer-origin' into 'master'
Fix referals for :back and relative URL installs. `app/views/layouts/_head.html.haml` currently sets the referrer policy to "origin". This disables the use of `{ redirect_to :back }`, which is used frequently throughout GitLab, and also breaks relative URL installs for browsers that obey this policy (e.g., Chrome). For example, using the "origin" policy the "Save Changes" button on the profile screen will (a) dump you at the GitLab home screen (which I can confirm on GitLab.com) or (b) dump you out of GitLab entirely for a relative URL install (which I can confirm on my local install). The right policy is "origin-when-cross-origin", which disables HTTP_REFERER when coming from other sites but enables it internally. (https://w3c.github.io/webappsec-referrer-policy/) I can confirm that this fixes the problems with ":back" on my install. See merge request !1505
Showing
Please register or sign in to comment