[Django] #31232: Add secure default SECURE_REFERRER_POLICY / Referrer-policy header
Django
-------------------------------------------------+------------------------
Reporter: Adam (Chainz) Johnson | Owner: nobody
Type: New feature | Status: new
Component: Utilities | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------------+------------------------
#29406 added the ability for the `SECURE_REFERRER_POLICY` setting to set
Referrer-Policy, released in Django 3.0.
I propose we change the default for this to "same-origin" to make Django
applications leak less information to third party sites.
The main risk of breakage here would be linked websites breaking, if they
depend on verification through the Referer header. This is a pretty
fragile technique since it can be spoofed.
Documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
/Referrer-Policy
The MDN support grid is out of date: https://caniuse.com/#search=Referrer-
Policy
--
Ticket URL: <https://code.djangoproject.com/ticket/31232>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Adam (Chainz) | Owner: nobody
Johnson |
Type: New feature | Status: new
Component: Utilities | Version: master
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by shubham singh ):
* cc: shubham singh (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/31232#comment:1>
Django
Reporter: Adam (Chainz) | Owner: nobody
Johnson |
Component: Utilities | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* stage: Unreviewed => Accepted
Comment:
Hi Adam, Yes, I think this fits our ''secure by default'' philosophy. As
long as the BC is documented in the release notes I think we should have
this.
--
Ticket URL: <https://code.djangoproject.com/ticket/31232#comment:2>
Django
Reporter: Adam (Chainz) | Owner: Adam
Johnson | (Chainz) Johnson
Type: New feature | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* owner: nobody => Adam (Chainz) Johnson
* status: new => assigned
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/12419 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/31232#comment:3>
Django
Reporter: Adam (Chainz) | Owner: Adam
Johnson | (Chainz) Johnson
Component: Utilities | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"72b97a5b1e22f5d464045be2e33f0436fa8061d3" 72b97a5]:
{{{
#!CommitTicketReference repository=""
revision="72b97a5b1e22f5d464045be2e33f0436fa8061d3"
Fixed #31232 -- Changed default SECURE_REFERRER_POLICY to 'same-origin'.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31232#comment:4>