Page MenuHomePhabricator
Create Task
Maniphest T173509

Set referrer-policy in REST API responses
Closed, ResolvedPublic
Actions

Description

The [referrer-policy header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) configures how clients share referrer headers with subsequently visited pages. In regular page views, we currently set this to origin-when-cross-origin in a meta tag, which means that other sites only see "en.wikipedia.org" in the referrer, but not the precise page the user visited before.

While top-level navigations to REST API end points are fairly rare, it still wouldn't hurt to protect our client's privacy by setting referrer-policy: origin-when-cross-origin in REST API responses.

Related Objects
Search...

StatusSubtypeAssignedTask
 DeclinedNoneT165455 Go from "E" to "A+" on Securityheaders.io
 Resolved GWickeT173509 Set referrer-policy in REST API responses
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL