summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAdam Johnson <me@adamj.eu>2020-02-05 10:02:35 +0000
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2020-02-05 14:39:01 +0100
commit72b97a5b1e22f5d464045be2e33f0436fa8061d3 (patch)
treef07339168dd9fd228f9d3eab12046cc545e93b88
parent7fa1a93c6c8109010a6ff3f604fda83b604e0e97 (diff)
Fixed #31232 -- Changed default SECURE_REFERRER_POLICY to 'same-origin'.
-rw-r--r--django/conf/global_settings.py2
-rw-r--r--docs/ref/settings.txt6
-rw-r--r--docs/releases/3.1.txt17
-rw-r--r--tests/project_template/test_settings.py1
4 files changed, 24 insertions, 2 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 09c9b95d26..8bb59a4037 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -637,6 +637,6 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS = False
SECURE_HSTS_PRELOAD = False
SECURE_HSTS_SECONDS = 0
SECURE_REDIRECT_EXEMPT = []
-SECURE_REFERRER_POLICY = None
+SECURE_REFERRER_POLICY = 'same-origin'
SECURE_SSL_HOST = None
SECURE_SSL_REDIRECT = False
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index b4a5bdc48f..8c3f6f2b47 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2395,12 +2395,16 @@ from URL paths, so patterns shouldn't include them, e.g.
.. versionadded:: 3.0
-Default: ``None``
+Default: ``'same-origin'``
If configured, the :class:`~django.middleware.security.SecurityMiddleware` sets
the :ref:`referrer-policy` header on all responses that do not already have it
to the value provided.
+.. versionchanged:: 3.1
+
+ In older versions, the default value is ``None``.
+
.. setting:: SECURE_SSL_HOST
``SECURE_SSL_HOST``
diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt
index 4a165156e1..903e2510ba 100644
--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@@ -285,6 +285,19 @@ Requests and Responses
* The new :meth:`.HttpRequest.accepts` method returns whether the request
accepts the given MIME type according to the ``Accept`` HTTP header.
+.. _whats-new-security-3.1:
+
+Security
+~~~~~~~~
+
+* The :setting:`SECURE_REFERRER_POLICY` setting now defaults to
+ ``'same-origin'``. With this configured,
+ :class:`~django.middleware.security.SecurityMiddleware` sets the
+ :ref:`referrer-policy` header to ``same-origin`` on all responses that do not
+ already have it. This prevents the ``Referer`` header being sent to other
+ origins. If you need the previous behavior, explicitly set
+ :setting:`SECURE_REFERRER_POLICY` to ``None``.
+
Serialization
~~~~~~~~~~~~~
@@ -452,6 +465,10 @@ Miscellaneous
* Providing a non-local remote field in the :attr:`.ForeignKey.to_field`
argument now raises :class:`~django.core.exceptions.FieldError`.
+* :setting:`SECURE_REFERRER_POLICY` now defaults to ``'same-origin'``. See the
+ *What's New* :ref:`Security section <whats-new-security-3.1>` above for more
+ details.
+
.. _deprecated-features-3.1:
Features deprecated in 3.1
diff --git a/tests/project_template/test_settings.py b/tests/project_template/test_settings.py
index 5617f4a943..e8d466938d 100644
--- a/tests/project_template/test_settings.py
+++ b/tests/project_template/test_settings.py
@@ -38,6 +38,7 @@ class TestStartProjectSettings(SimpleTestCase):
self.assertEqual(headers, [
b'Content-Length: 0',
b'Content-Type: text/html; charset=utf-8',
+ b'Referrer-Policy: same-origin',
b'X-Content-Type-Options: nosniff',
b'X-Frame-Options: DENY',
])