Limit referrer information sent to other sites

Description

When you follow a link from the Archive to another site or go to a page with the Twitter widget (e.g. a work), a header like the following is sent to that site:

The header contains the URL of the page you're coming from (or, in the case of Twitter, the page the widget is being loaded on – in other words, Twitter can tell what work you're accessing, and if you're logged in, that information is likely associated with your Twitter account).

To prevent this, we'd like to update config/application.rb to set the Referrer-Policy to same-origin, as described in Setting HTTP security headers in Rails.

To test, open your browser’s developer tools and check the response headers after navigating from one Archive page to another. The Referrer-Policy should say same-origin. (You may need to consult Google for instructions specific to your browser.)

When testing, we should also make sure the Twitter share widget on works is still functional, and we should also check that New Relic still contains referrer information.

Environment

None

Assignee

elzj78 (Elz)

Reporter

Sarken

Roadmap

Misc

Priority

Medium

Affects versions

Fix versions

Components

BackEnd
FrontEnd

Difficulty

Easy

Required Access Level

None

Milestone

Internal 0.9
Configure