Referrer-Policy: expand applicable media-types + stricter def… (#204)

Co-authored-by: Léo Colombaro <git@colombaro.fr>
h5bp · Jan 3, 2020 · 43bcb83 · 43bcb83
1 parent d8553ee
commit 43bcb83
Showing 1 changed file with 14 additions and 13 deletions.
diff --git a/src/security/referrer-policy.conf b/src/security/referrer-policy.conf
@@ -2,24 +2,25 @@
 # | Referrer Policy                                                    |
 # ----------------------------------------------------------------------
 
-# A web application uses HTTPS and a URL-based session identifier.
-# The web application might wish to link to HTTPS resources on other web
-# sites without leaking the user's session identifier in the URL.
+# Set a strict Referrer Policy to mitigate information leakage.
 #
-# This can be done by setting a `Referrer Policy` which whitelists trusted
-# sources of content for your website.
+# (1) The `Referrer-Policy` header is included in responses for resources
+#     that are able to request (or navigate to) other resources.
 #
-# To check your referrer policy, you can use an online service such as:
-# https://securityheaders.io/.
+#     This includes the commonly used resource types:
+#     HTML, CSS, XML/SVG, PDF documents, scripts and workers.
+#
+# To prevent referrer leakage entirely, specify the `no-referrer` value
+# instead. Note that the effect could impact analytics metrics negatively.
+#
+# To check your Referrer Policy, you can use an online service, such as:
+# https://securityheaders.com/
+# https://observatory.mozilla.org/
 #
 # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 
 <IfModule mod_headers.c>
-    # no-referrer-when-downgrade (default)
-    # This should be the user agent's default behavior if no policy is
-    # specified.The origin is sent as referrer to a-priori as-much-secure
-    # destination (HTTPS->HTTPS), but isn't sent to a less secure destination
-    # (HTTPS->HTTP).
-    Header set Referrer-Policy "no-referrer-when-downgrade" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+    #                                                             (1)
+    Header set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i"
 </IfModule>