Add Rack::Protection::ReferrerPolicy #1291
Conversation
|
many browers not support this header. but it's future ~ |
|
@stefansundin Thanks for creating this. The Chrome issue you linked to has since been marked fixed.
Does that fact change any of your earlier assessment of the mergeability of this change? |
|
That note in the issue is confusing to say the least. Anyway, when Chrome 61 ships, it will be easy to test if the default value works as expected. |
|
Let's wait for chrome 61 to test this then. My reading of this seems to be that this name is only temporary? And will likely change to match the spec? Not sure which spec they're... referring to here tho :) |
|
This post suggests that the policy name hasn't changed: https://blog.chromium.org/2017/08/chrome-61-beta-javascript-modules.html I think the note was talking about renaming something internally. But we can still wait. |
|
@zzak I think this can merged now. :) |
|
Thanks @stefansundin, I think at some point we may want to circle back and enable this protection by default. |
Hi everyone. I decided to implement the Referrer-Policy header for rack-protection. It's a really simple header with just a string value, more information:
I considered making it enabled by default, since it has low risk of breaking the web, but I want your opinion first.
Worth noting is that the default value I picked, "strict-origin-when-cross-origin", does not work in Chrome at the moment. I picked it as it will be the most sensible default in the future, especially if this is enabled by default. See this bug: https://bugs.chromium.org/p/chromium/issues/detail?id=627968