Re: [GMG-Devel] [PATCH] Prevent browsers sending referrer headers

[Duncan]

Thanks for the input, Berker and Chris!

Here's a revised patch which is configurable with a "no_referrer"
setting. It defaults to the safer behavior of not sending referrers,
with users being able to disable this protection if they wish.

Duncan

---
 mediagoblin/config_spec.ini                 | 3 +++
 mediagoblin/templates/mediagoblin/base.html | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/mediagoblin/config_spec.ini b/mediagoblin/config_spec.ini
index fd86700..0a8da73 100644
--- a/mediagoblin/config_spec.ini
+++ b/mediagoblin/config_spec.ini
@@ -86,6 +86,9 @@ allow_attachments = boolean(default=False)
 # Cookie stuff
 csrf_cookie_name = string(default='mediagoblin_csrftoken')
 
+# Set to true to prevent browsers leaking information through Referrers
+no_referrer = boolean(default=True)
+
 # Push stuff
 push_urls = string_list(default=list())
 
diff --git a/mediagoblin/templates/mediagoblin/base.html 
b/mediagoblin/templates/mediagoblin/base.html
index ddc38b3..778cc3f 100644
--- a/mediagoblin/templates/mediagoblin/base.html
+++ b/mediagoblin/templates/mediagoblin/base.html
@@ -27,6 +27,9 @@
   <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    {% if app_config['no_referrer'] -%}
+      <meta name="referrer" content="no-referrer">
+    {%- endif %}
     <meta http-equiv="X-UA-Compatible" content="IE=Edge">
     <title>{% block title %}{{ app_config['html_title'] }}{% endblock 
%}</title>
     <link rel="stylesheet" type="text/css"
-- 
2.5.0