Regression: Make referrer header configurable (#22126)

5 years ago · 4bcdb0d962
parent f133513dcd
commit 4bcdb0d962
3 changed files with 48 additions and 1 deletions
--- a/app/lib/server/startup/settings.js
+++ b/app/lib/server/startup/settings.js
@ -956,6 +956,37 @@ settings.addGroup('General', function() {
 		public: true,
 		multiline: true,
 	});
+	this.add('Default_Referrer_Policy', 'same-origin', {
+		type: 'select',
+		values: [
+			{
+				key: 'no-referrer',
+				i18nLabel: 'No_Referrer',
+			}, {
+				key: 'no-referrer-when-downgrade',
+				i18nLabel: 'No_Referrer_When_Downgrade',
+			}, {
+				key: 'origin',
+				i18nLabel: 'Origin',
+			}, {
+				key: 'origin-when-cross-origin',
+				i18nLabel: 'Origin_When_Cross_Origin',
+			}, {
+				key: 'same-origin',
+				i18nLabel: 'Same_Origin',
+			}, {
+				key: 'strict-origin',
+				i18nLabel: 'Strict_Origin',
+			}, {
+				key: 'strict-origin-when-cross-origin',
+				i18nLabel: 'Strict_Origin_When_Cross_Origin',
+			}, {
+				key: 'unsafe-url',
+				i18nLabel: 'Unsafe_Url',
+			},
+		],
+		public: true,
+	});
 	this.section('UTF8', function() {
 		this.add('UTF8_Names_Validation', '[0-9a-zA-Z-_.]+', {
 			type: 'string',
--- a/app/ui-master/server/inject.js
+++ b/app/ui-master/server/inject.js
@ -34,7 +34,13 @@ Meteor.startup(() => {
 		Inject.rawModHtml('headInjections', applyHeadInjections(injections));
 	});

-	injectIntoHead('noreferrer', '<meta name="referrer" content="strict-origin" />');
+	settings.get('Default_Referrer_Policy', (key, value) => {
+		if (!value) {
+			return injectIntoHead('noreferrer', '<meta name="referrer" content="same-origin" />');
+		}
+
+		injectIntoHead('noreferrer', `<meta name="referrer" content="${ value }" />`);
+	});

 	if (process.env.DISABLE_ANIMATION) {
 		injectIntoHead('disable-animation', `
--- a/packages/rocketchat-i18n/i18n/en.i18n.json
+++ b/packages/rocketchat-i18n/i18n/en.i18n.json
@ -3398,6 +3398,16 @@
  "Return_to_previous_page": "Return to previous page",
  "Return_to_the_queue": "Return back to the Queue",
  "Robot_Instructions_File_Content": "Robots.txt File Contents",
+  "Default_Referrer_Policy": "Default Referrer Policy",
+  "Default_Referrer_Policy_Description": "This controls the 'referrer' header that's sent when requesting embedded media from other servers. For more information, refer to <a href='https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy'>this link from MDN</a>. Remember, a full page refresh is required for this to take effect",
+  "No_Referrer": "No Referrer",
+  "No_Referrer_When_Downgrade": "No referrer when downgrade",
+  "Origin": "Origin",
+  "Origin_When_Cross_Origin": "Origin when cross origin",
+  "Same_Origin": "Same origin",
+  "Strict_Origin": "Strict origin",
+  "Strict_Origin_When_Cross_Origin": "Strict origin when cross origin",
+  "Unsafe_Url": "Unsafe URL",
  "Rocket_Chat_Alert": "Rocket.Chat Alert",
  "Role": "Role",
  "Role_Editing": "Role Editing",