Fixed #29406 -- Added support for Referrer-Policy header.

Thanks to James Bennett for the initial implementation.
author: Nick Pope <nick.pope@flightdataservices.com> 2019-03-21 21:33:41 +0000
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2019-09-09 13:35:41 +0200
commit: 406dba04e1482a308cad74e3d06c050c76ba2d16 (patch)
tree: d5ec1f049f18481b620d993938d21de83d547673 /django/middleware/security.py
parent: 1edbb6c19405a629200ba3683968f3dba2744e7e (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/django/middleware/security.py b/django/middleware/security.py
index dfca3b64de..c0877b350a 100644
--- a/django/middleware/security.py
+++ b/django/middleware/security.py
@@ -15,6 +15,7 @@ class SecurityMiddleware(MiddlewareMixin):
         self.redirect = settings.SECURE_SSL_REDIRECT
         self.redirect_host = settings.SECURE_SSL_HOST
         self.redirect_exempt = [re.compile(r) for r in settings.SECURE_REDIRECT_EXEMPT]
+        self.referrer_policy = settings.SECURE_REFERRER_POLICY
         self.get_response = get_response
 
     def process_request(self, request):
@@ -43,4 +44,12 @@ class SecurityMiddleware(MiddlewareMixin):
         if self.xss_filter:
             response.setdefault('X-XSS-Protection', '1; mode=block')
 
+        if self.referrer_policy:
+            # Support a comma-separated string or iterable of values to allow
+            # fallback.
+            response.setdefault('Referrer-Policy', ','.join(
+                [v.strip() for v in self.referrer_policy.split(',')]
+                if isinstance(self.referrer_policy, str) else self.referrer_policy
+            ))
+
         return response
author	Nick Pope <nick.pope@flightdataservices.com>	2019-03-21 21:33:41 +0000
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2019-09-09 13:35:41 +0200
commit	406dba04e1482a308cad74e3d06c050c76ba2d16 (patch)
tree	d5ec1f049f18481b620d993938d21de83d547673 /django/middleware/security.py
parent	1edbb6c19405a629200ba3683968f3dba2744e7e (diff)