- 🇮🇳India nikunjkotecha India, Gujarat, Rajkot
Policy should be added even if $route is empty, right now if $route is empty it doesn't add Referrer-Policy header
Core issue #3027122: Set "Referrer-Policy" header to prevent leaking secret tokens in URLs → allows the setting of a "path_has_secret" option in the route to set a more secure referer policy. A part of the patch it adds this setting to the single use login paths and /user/password.
So if your site has the related issue patch installed the referer will be overwritten and in my case it was downgraded.
Add a check in the route for the "path_has_secret" option and if it is false we will allow the setting of the referer. My first patch only stops the overwriting but we may want to duplicate the setting so you can set a referer policy for routes with the option set.
Needs work
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Policy should be added even if $route is empty, right now if $route is empty it doesn't add Referrer-Policy header