launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~ilasc/launchpad/+git/security:bug-1882910 into launchpad:master

To: mp+385554@xxxxxxxxxxxxxxxxxx
From: Ioana Lasc <ioana.lasc@xxxxxxxxxxxxx>
Date: Thu, 11 Jun 2020 07:05:34 -0000
Reply-to: mp+385554@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Ioana Lasc has proposed merging ~ilasc/launchpad/+git/security:bug-1882910 into launchpad:master.

Commit message:
Set origin-when-cross-origin for private views

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~ilasc/launchpad/+git/security/+merge/385554

We are now setting the "origin-when-cross-origin" referrer policy for private views via <meta name="referrer"> in lib/lp/app/templates/base-layout.pt rather than via a Referrer-Policy response header.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~ilasc/launchpad/+git/security:bug-1882910 into launchpad:master.

diff --git a/lib/lp/app/templates/base-layout.pt b/lib/lp/app/templates/base-layout.pt
index b68c5d5..26f36bc 100644
--- a/lib/lp/app/templates/base-layout.pt
+++ b/lib/lp/app/templates/base-layout.pt
@@ -51,6 +51,10 @@
         tal:attributes="content view/page_description/fmt:strip-email/fmt:shorten/500" />
     </tal:view>
 
+    <tal:view condition="view/private">
+      <meta name="referrer" content="origin-when-cross-origin">
+    </tal:view>
+
     <metal:page-javascript
         use-macro="context/@@+base-layout-macros/page-javascript" />
     <tal:view condition="not: view/macro:is-page-contentless">