Set Referrer-Policy to origin in web UI and public pages of private toots (#7162)

Fix #7115

diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb
index b1f8f1ad9022343b354b1d7eaa502e31c09ab478..b71424107bc30df13944ed50109057e66d0a8834 100644 (file)
--- a/app/controllers/home_controller.rb
+++ b/app/controllers/home_controller.rb
@@ -2,6 +2,7 @@
 
 class HomeController < ApplicationController
   before_action :authenticate_user!
+  before_action :set_referrer_policy_header
   before_action :set_initial_state_json
 
   def index
@@ -62,4 +63,8 @@ class HomeController < ApplicationController
       about_path
     end
   end
+
+  def set_referrer_policy_header
+    response.headers['Referrer-Policy'] = 'origin'
+  end
 end

diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb
index 41f098a43761f2dc70a743db51f76b3667fc2e48..a2943982a60291f3f64b514dd5336cf48f4bef70 100644 (file)
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@@ -13,6 +13,7 @@ class StatusesController < ApplicationController
   before_action :set_link_headers
   before_action :check_account_suspension
   before_action :redirect_to_original, only: [:show]
+  before_action :set_referrer_policy_header, only: [:show]
   before_action :set_cache_headers
 
   def show
@@ -81,4 +82,9 @@ class StatusesController < ApplicationController
   def redirect_to_original
     redirect_to ::TagManager.instance.url_for(@status.reblog) if @status.reblog?
   end
+
+  def set_referrer_policy_header
+    return if @status.public_visibility? || @status.unlisted_visibility?
+    response.headers['Referrer-Policy'] = 'origin'
+  end
 end