`Referrer-Policy: no-referrer` breaks `/_logout`?

Question

`Referrer-Policy: no-referrer` breaks `/_logout`?

Opened this issue 6 months ago · 0 comments

I have Debian 12 with gitit 0.15.1.0+dfsg-2+b6 and nginx 1.22.1-9 (doing proxy_pass http://127.0.0.1:5001/).
I was messing with https://infosec.mozilla.org/guidelines/web_security.html#referrer-policy
I found that with add_header Referrer-Policy no-referrer always; in nginx.conf,
when I tried to logout, the /_logout URL returned a 303 redirect back to itself.
This happened over and over until Firefox reached a redirect limit.
It looks like add_header Referrer-Policy same-origin always; does not exhibit this issue.

I think if there is no Referer, _logout should redirect to / rather than itself?

I looked at
https://github.com/jgm/gitit/blob/0.15.1.0/src/Network/Gitit/Authentication.hs#L404-L415
but I'm not immediately sure what ought to go in the dest <- to implement "there is no referer".

This is a weird edge case, so I don't mind if you just say "so, don't do that" and close this ticket :-)