Allow apps to override the Referrer-Policy header

2021-04-26 11:26:42 +02:00
parent f3d870978b
commit 70f2337b09
1 changed files with 9 additions and 1 deletions
@@ -4,6 +4,12 @@ map $http_upgrade $connection_upgrade {
    '' close;
 }

+# Allow apps to override this https://stackoverflow.com/questions/13583501/nginx-how-to-add-header-if-it-is-not-set
+map $upstream_http_referrer_policy $hrp {
+    default $upstream_http_referrer_policy;
+    "" "same-origin";
+}
+
 # http server
 server {
 <% if (endpoint === 'ip' || endpoint === 'setup') { -%>
@@ -101,7 +107,9 @@ server {
    proxy_hide_header X-Content-Type-Options;
    add_header X-Permitted-Cross-Domain-Policies "none";
    proxy_hide_header X-Permitted-Cross-Domain-Policies;
-    add_header Referrer-Policy "same-origin";
+
+    # See header handling from upstream on top of this file
+    add_header Referrer-Policy $hrp;
    proxy_hide_header Referrer-Policy;

    # workaround caching issue after /logout. if max-age is set, browser uses cache and user thinks they have not logged out