`Referrer-Policy: no-referrer` breaks `/_logout`?
Opened this issue · 0 comments
I have Debian 12 with gitit 0.15.1.0+dfsg-2+b6 and nginx 1.22.1-9 (doing proxy_pass http://127.0.0.1:5001/
).
I was messing with https://infosec.mozilla.org/guidelines/web_security.html#referrer-policy
I found that with add_header Referrer-Policy no-referrer always;
in nginx.conf,
when I tried to logout, the /_logout URL returned a 303 redirect back to itself.
This happened over and over until Firefox reached a redirect limit.
It looks like add_header Referrer-Policy same-origin always;
does not exhibit this issue.
I think if there is no Referer
, _logout
should redirect to /
rather than itself?
I looked at
https://github.com/jgm/gitit/blob/0.15.1.0/src/Network/Gitit/Authentication.hs#L404-L415
but I'm not immediately sure what ought to go in the dest <-
to implement "there is no referer".
This is a weird edge case, so I don't mind if you just say "so, don't do that" and close this ticket :-)