Opened 5 years ago

Closed 5 years ago

#31232 closed New feature (fixed)

Add secure default SECURE_REFERRER_POLICY / Referrer-policy header

Reported by: Adam Johnson Owned by: Adam Johnson
Component: Utilities Version: dev
Severity: Normal Keywords:
Cc: James Bennett, shubham singh Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

#29406 added the ability for the SECURE_REFERRER_POLICY setting to set Referrer-Policy, released in Django 3.0.

I propose we change the default for this to "same-origin" to make Django applications leak less information to third party sites.

The main risk of breakage here would be linked websites breaking, if they depend on verification through the Referer header. This is a pretty fragile technique since it can be spoofed.

Documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
The MDN support grid is out of date: https://caniuse.com/#search=Referrer-Policy

Change History (4)

comment:1 by shubham singh , 5 years ago

Cc: shubham singh added

comment:2 by Carlton Gibson, 5 years ago

Triage Stage: UnreviewedAccepted

Hi Adam, Yes, I think this fits our secure by default philosophy. As long as the BC is documented in the release notes I think we should have this.

comment:3 by Mariusz Felisiak, 5 years ago

Has patch: set
Owner: changed from nobody to Adam Johnson
Status: newassigned

comment:4 by Mariusz Felisiak <felisiak.mariusz@…>, 5 years ago

Resolution: fixed
Status: assignedclosed

In 72b97a5:

Fixed #31232 -- Changed default SECURE_REFERRER_POLICY to 'same-origin'.

Note: See TracTickets for help on using tickets.
Back to Top