Fixed #31232 -- Changed default SECURE_REFERRER_POLICY to 'same-origin'.

This commit is contained in:
Adam Johnson 2020-02-05 10:02:35 +00:00 committed by Mariusz Felisiak
parent 7fa1a93c6c
commit 72b97a5b1e
4 changed files with 24 additions and 2 deletions

View File

@ -637,6 +637,6 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS = False
SECURE_HSTS_PRELOAD = False SECURE_HSTS_PRELOAD = False
SECURE_HSTS_SECONDS = 0 SECURE_HSTS_SECONDS = 0
SECURE_REDIRECT_EXEMPT = [] SECURE_REDIRECT_EXEMPT = []
SECURE_REFERRER_POLICY = None SECURE_REFERRER_POLICY = 'same-origin'
SECURE_SSL_HOST = None SECURE_SSL_HOST = None
SECURE_SSL_REDIRECT = False SECURE_SSL_REDIRECT = False

View File

@ -2395,12 +2395,16 @@ from URL paths, so patterns shouldn't include them, e.g.
.. versionadded:: 3.0 .. versionadded:: 3.0
Default: ``None`` Default: ``'same-origin'``
If configured, the :class:`~django.middleware.security.SecurityMiddleware` sets If configured, the :class:`~django.middleware.security.SecurityMiddleware` sets
the :ref:`referrer-policy` header on all responses that do not already have it the :ref:`referrer-policy` header on all responses that do not already have it
to the value provided. to the value provided.
.. versionchanged:: 3.1
In older versions, the default value is ``None``.
.. setting:: SECURE_SSL_HOST .. setting:: SECURE_SSL_HOST
``SECURE_SSL_HOST`` ``SECURE_SSL_HOST``

View File

@ -285,6 +285,19 @@ Requests and Responses
* The new :meth:`.HttpRequest.accepts` method returns whether the request * The new :meth:`.HttpRequest.accepts` method returns whether the request
accepts the given MIME type according to the ``Accept`` HTTP header. accepts the given MIME type according to the ``Accept`` HTTP header.
.. _whats-new-security-3.1:
Security
~~~~~~~~
* The :setting:`SECURE_REFERRER_POLICY` setting now defaults to
``'same-origin'``. With this configured,
:class:`~django.middleware.security.SecurityMiddleware` sets the
:ref:`referrer-policy` header to ``same-origin`` on all responses that do not
already have it. This prevents the ``Referer`` header being sent to other
origins. If you need the previous behavior, explicitly set
:setting:`SECURE_REFERRER_POLICY` to ``None``.
Serialization Serialization
~~~~~~~~~~~~~ ~~~~~~~~~~~~~
@ -452,6 +465,10 @@ Miscellaneous
* Providing a non-local remote field in the :attr:`.ForeignKey.to_field` * Providing a non-local remote field in the :attr:`.ForeignKey.to_field`
argument now raises :class:`~django.core.exceptions.FieldError`. argument now raises :class:`~django.core.exceptions.FieldError`.
* :setting:`SECURE_REFERRER_POLICY` now defaults to ``'same-origin'``. See the
*What's New* :ref:`Security section <whats-new-security-3.1>` above for more
details.
.. _deprecated-features-3.1: .. _deprecated-features-3.1:
Features deprecated in 3.1 Features deprecated in 3.1

View File

@ -38,6 +38,7 @@ class TestStartProjectSettings(SimpleTestCase):
self.assertEqual(headers, [ self.assertEqual(headers, [
b'Content-Length: 0', b'Content-Length: 0',
b'Content-Type: text/html; charset=utf-8', b'Content-Type: text/html; charset=utf-8',
b'Referrer-Policy: same-origin',
b'X-Content-Type-Options: nosniff', b'X-Content-Type-Options: nosniff',
b'X-Frame-Options: DENY', b'X-Frame-Options: DENY',
]) ])