Fix Referrer-Policy #443

2026-03-13 00:07:22 +00:00 · 2023-04-19 19:39:46 +02:00 · 2023-04-19 19:39:46 +02:00 · 49ab2816b3
commit 49ab2816b3
parent 44b2fa669d
4 changed files with 25 additions and 3 deletions
--- a/project/init.py
+++ b/project/init.py
@ -63,6 +63,9 @@ if os.getenv("PREFERRED_URL_SCHEME"):  # pragma: no cover

    if app.config["PREFERRED_URL_SCHEME"] == "https":
        app.config["SESSION_COOKIE_SECURE"] = True
+        app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
+        app.config["REMEMBER_COOKIE_SECURE"] = True
+        app.config["REMEMBER_COOKIE_SAMESITE"] = "Lax"

 from project.reverse_proxied import ReverseProxied

--- a/project/requests.py
+++ b/project/requests.py
@ -17,6 +17,7 @@ def set_manage_admin_unit_cookie(response):
            value=encoded,
            expires=datetime.utcnow() + timedelta(days=365),
            secure=app.config["SESSION_COOKIE_SECURE"],
+            samesite=app.config["SESSION_COOKIE_SAMESITE"],
        )

    return response
@ -29,7 +30,7 @@ def set_response_headers(response):
            response.headers["X-Frame-Options"] = "SAMEORIGIN"

    response.headers["X-Content-Type-Options"] = "nosniff"
-    response.headers["Referrer-Policy"] = "no-referrer"
+    response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
    response.headers[
        "Content-Security-Policy"
    ] = "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data: *.openstreetmap.org;"
--- a/project/static/site.webmanifest
+++ b/project/static/site.webmanifest
@ -1 +1,19 @@
-{"name":"","short_name":"","icons":[{"src":"/android-chrome-192x192.png","sizes":"192x192","type":"image/png"},{"src":"/android-chrome-512x512.png","sizes":"512x512","type":"image/png"}],"theme_color":"#ffffff","background_color":"#ffffff","display":"standalone"}
+{
+  "name": "",
+  "short_name": "",
+  "icons": [
+    {
+      "src": "/static/android-chrome-192x192.png",
+      "sizes": "192x192",
+      "type": "image/png"
+    },
+    {
+      "src": "/static/android-chrome-512x512.png",
+      "sizes": "512x512",
+      "type": "image/png"
+    }
+  ],
+  "theme_color": "#ffffff",
+  "background_color": "#ffffff",
+  "display": "standalone"
+}
--- a/tests/views/test_root.py
+++ b/tests/views/test_root.py
@ -8,7 +8,7 @@ def test_home(client, seeder, utils):
    response = utils.get_ok(url)
    assert response.headers["X-Frame-Options"] == "SAMEORIGIN"
    assert response.headers["X-Content-Type-Options"] == "nosniff"
-    assert response.headers["Referrer-Policy"] == "no-referrer"
+    assert response.headers["Referrer-Policy"] == "strict-origin-when-cross-origin"
    assert "Content-Security-Policy" in response.headers