From 72b97a5b1e22f5d464045be2e33f0436fa8061d3 Mon Sep 17 00:00:00 2001 From: Adam Johnson Date: Wed, 5 Feb 2020 10:02:35 +0000 Subject: [PATCH] Fixed #31232 -- Changed default SECURE_REFERRER_POLICY to 'same-origin'. --- django/conf/global_settings.py | 2 +- docs/ref/settings.txt | 6 +++++- docs/releases/3.1.txt | 17 +++++++++++++++++ tests/project_template/test_settings.py | 1 + 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py index 09c9b95d26..8bb59a4037 100644 --- a/django/conf/global_settings.py +++ b/django/conf/global_settings.py @@ -637,6 +637,6 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS = False SECURE_HSTS_PRELOAD = False SECURE_HSTS_SECONDS = 0 SECURE_REDIRECT_EXEMPT = [] -SECURE_REFERRER_POLICY = None +SECURE_REFERRER_POLICY = 'same-origin' SECURE_SSL_HOST = None SECURE_SSL_REDIRECT = False diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index b4a5bdc48f..8c3f6f2b47 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2395,12 +2395,16 @@ from URL paths, so patterns shouldn't include them, e.g. .. versionadded:: 3.0 -Default: ``None`` +Default: ``'same-origin'`` If configured, the :class:`~django.middleware.security.SecurityMiddleware` sets the :ref:`referrer-policy` header on all responses that do not already have it to the value provided. +.. versionchanged:: 3.1 + + In older versions, the default value is ``None``. + .. setting:: SECURE_SSL_HOST ``SECURE_SSL_HOST`` diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt index 4a165156e1..903e2510ba 100644 --- a/docs/releases/3.1.txt +++ b/docs/releases/3.1.txt @@ -285,6 +285,19 @@ Requests and Responses * The new :meth:`.HttpRequest.accepts` method returns whether the request accepts the given MIME type according to the ``Accept`` HTTP header. +.. _whats-new-security-3.1: + +Security +~~~~~~~~ + +* The :setting:`SECURE_REFERRER_POLICY` setting now defaults to + ``'same-origin'``. With this configured, + :class:`~django.middleware.security.SecurityMiddleware` sets the + :ref:`referrer-policy` header to ``same-origin`` on all responses that do not + already have it. This prevents the ``Referer`` header being sent to other + origins. If you need the previous behavior, explicitly set + :setting:`SECURE_REFERRER_POLICY` to ``None``. + Serialization ~~~~~~~~~~~~~ @@ -452,6 +465,10 @@ Miscellaneous * Providing a non-local remote field in the :attr:`.ForeignKey.to_field` argument now raises :class:`~django.core.exceptions.FieldError`. +* :setting:`SECURE_REFERRER_POLICY` now defaults to ``'same-origin'``. See the + *What's New* :ref:`Security section ` above for more + details. + .. _deprecated-features-3.1: Features deprecated in 3.1 diff --git a/tests/project_template/test_settings.py b/tests/project_template/test_settings.py index 5617f4a943..e8d466938d 100644 --- a/tests/project_template/test_settings.py +++ b/tests/project_template/test_settings.py @@ -38,6 +38,7 @@ class TestStartProjectSettings(SimpleTestCase): self.assertEqual(headers, [ b'Content-Length: 0', b'Content-Type: text/html; charset=utf-8', + b'Referrer-Policy: same-origin', b'X-Content-Type-Options: nosniff', b'X-Frame-Options: DENY', ])