Add support for Referrer-Policy header#3775
Conversation
test/headers.js
Outdated
| expect(res.headers['x-content-type-options']).to.equal('nosniff'); | ||
| }); | ||
|
|
||
| it('does not return the referrer-policy header whe security.referrer is false', async () => { |
There was a problem hiding this comment.
It might be good to also ensure that the default behaves like false, since it would not likely be picked-up by another test.
There was a problem hiding this comment.
There was a problem hiding this comment.
@devinivy added another test for the default and fixed that whe typo.
API.md
Outdated
| - `referrer` - controls the ['Referrer-Policy'](https://www.w3.org/TR/referrer-policy/) header value: | ||
| - `false` - the 'Referrer-Policy' header will not be sent with responses. This is the default value. | ||
| - `''` - empty string indicating that the Referrer-Policy will be defined elsewhere. | ||
| - `'no-referrer'` - never include the referrer header. |
There was a problem hiding this comment.
@geek this is question more than feedback on PR - what is the difference here between false and 'no-referrer'?
There was a problem hiding this comment.
false doesn’t send the Referrer-Policy. no-referrer will send the RP header
There was a problem hiding this comment.
The description is misleading...
|
Ah OK thanks!
On Fri, 6 Apr 2018, 18:16 Wyatt Preul, ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In API.md <#3775 (comment)>
:
> @@ -3394,6 +3394,18 @@ following options:
- `noSniff` - boolean controlling the 'X-Content-Type-Options' header. Defaults to `true` setting
the header to its only and default option, `'nosniff'`.
+- `referrer` - controls the ['Referrer-Policy'](https://www.w3.org/TR/referrer-policy/) header value:
+ - `false` - the 'Referrer-Policy' header will not be sent with responses. This is the default value.
+ - `''` - empty string indicating that the Referrer-Policy will be defined elsewhere.
+ - `'no-referrer'` - never include the referrer header.
false doesn’t send the Referrer-Policy. no-referrer will send the RP header
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3775 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AD1HQ5oeXqrA4lzph2wVz25q3gQBX-_Mks5tl6L7gaJpZM4TJXwH>
.
--
*John Brett*
Stay in touch:
@johnbrett_ <https://twitter.com/johnbrett_> | linkedin.com/in/johnbrett1
|
API.md
Outdated
| - `referrer` - controls the ['Referrer-Policy'](https://www.w3.org/TR/referrer-policy/) header value: | ||
| - `false` - the 'Referrer-Policy' header will not be sent with responses. This is the default value. | ||
| - `''` - empty string indicating that the Referrer-Policy will be defined elsewhere. | ||
| - `'no-referrer'` - never include the referrer header. |
There was a problem hiding this comment.
The description is misleading...
API.md
Outdated
|
|
||
| - `referrer` - controls the ['Referrer-Policy'](https://www.w3.org/TR/referrer-policy/) header value: | ||
| - `false` - the 'Referrer-Policy' header will not be sent with responses. This is the default value. | ||
| - `''` - empty string indicating that the Referrer-Policy will be defined elsewhere. |
There was a problem hiding this comment.
Also, can this be "empty" instead?
There was a problem hiding this comment.
Yes, we can change this, but it won't be consistent with the referrer policy options, which is to send a literal empty string. Up to you, do you want me to change this?
There was a problem hiding this comment.
It is just so odd to have an empty string as value. We can start with it as is and see if people are confused by it.
There was a problem hiding this comment.
"elsewhere" is the language used by w3, which really means in html meta-headers. I'll make this clearer
| - `'origin-when-cross-origin'` - the referrer includes the full path for same-origin requests but only the origin components of the URL are included for cross origin requests. | ||
| - `'strict-origin-when-cross-origin'` - same as `'origin-when-cross-origin'` but the referrer will be omitted when going from HTTPS to HTTP. | ||
| - `'unsafe-url'` - the referrer will always be included with the full URL. | ||
|
|
There was a problem hiding this comment.
Basically, the descriptions are confusing because they are about the HTTP policy, not the hapi server actions. Needs to rewrite them to read "Informs the client to...".
hueniverse
added
feature
|
@hueniverse updated |
|
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions. |
4 participants
No description provided.