Evergreen should set a referrer policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
New
|
Medium
|
Unassigned |
Bug Description
Evergreen should set a referrer policy [0] to restrict what is passed in the Referer header when external resources (e.g., cover images, added content of various stripes, electronic resources, external images and CSS, etc.) are embedded or navigated to.
If a referrer policy is not set, the default policy of no-referrer-
Better values for the referrer policy include:
* strict-
* origin-
Values that would break current Evergreen functionality, particularly navigation in the public catalog during certain actions, include:
* no-referrer
* origin
* strict-origin
Values that might break legitimate inspection of the Referer header by services that perform referring URL "authentication" include:
* no-referrer
* same-origin
A referrer policy can be set in various ways:
- Using a Referrer-Policy HTTP header configured at the Apache or NGINX level
- Using a meta tag:
<meta name="referrer" content=
- Using a referrerpolicy attribute in <a>, <area>, <img>, <iframe>, <script>, or <link> tags
- Using a noreferrer link relation in <a>, <area>, or <link> elements.
[0] https:/