From a7eaa01cf27cac9563a00057c4396834281323be Mon Sep 17 00:00:00 2001 From: Charles Overbeck Date: Tue, 8 Jun 2021 14:13:47 -0700 Subject: [PATCH] Set referrer-policy to strict-origin-when-cross-origin (#198) dockstore/dockstore#4263 --- templates/default.nginx_http.security.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/default.nginx_http.security.conf.template b/templates/default.nginx_http.security.conf.template index c8bbf78..c1d280d 100644 --- a/templates/default.nginx_http.security.conf.template +++ b/templates/default.nginx_http.security.conf.template @@ -15,7 +15,7 @@ add_header X-XSS-Protection "1; mode=block" always; # Enable a referrer policy that protects users' privacy while still enabling # Dockstore to see how users interact with the site. -add_header Referrer-Policy "same-origin" always; +add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Explicitly list domains allowed to serve content for this site add_header Content-Security-Policy-Report-Only "report-uri https://api.dockstore-security.org/csp-report; default-src 'self'; object-src 'none'; base-uri 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none'; script-src 'report-sample' 'self' 'unsafe-hashes' 'unsafe-inline' 'unsafe-eval' discuss.dockstore.org gui.dockstore.org *.twitter.com *.twimg.com www.google-analytics.com www.googletagmanager.com; style-src 'report-sample' 'self' 'unsafe-inline' cdnjs.cloudflare.com fonts.googleapis.com *.twitter.com *.twimg.com gui.dockstore.org; connect-src 'self' s3.amazonaws.com api.github.com view.commonwl.org www.google-analytics.com gui.dockstore.org; font-src 'self' fonts.gstatic.com gui.dockstore.org; frame-src 'self' discuss.dockstore.org platform.twitter.com; img-src data: 'self' avatars0.githubusercontent.com avatars1.githubusercontent.com avatars2.githubusercontent.com avatars3.githubusercontent.com camo.githubusercontent.com gui.dockstore.org i.imgur.com api.travis-ci.com img.shields.io quay.io via.placeholder.com *.wp.com *.googleusercontent.com www.googletagmanager.com www.google-analytics.com www.gravatar.com *.twitter.com *.twimg.com;" always;