Fixed #31232 -- Changed default SECURE_REFERRER_POLICY to 'same-origin'.
This commit is contained in:
parent
7fa1a93c6c
commit
72b97a5b1e
|
@ -637,6 +637,6 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS = False
|
||||||
SECURE_HSTS_PRELOAD = False
|
SECURE_HSTS_PRELOAD = False
|
||||||
SECURE_HSTS_SECONDS = 0
|
SECURE_HSTS_SECONDS = 0
|
||||||
SECURE_REDIRECT_EXEMPT = []
|
SECURE_REDIRECT_EXEMPT = []
|
||||||
SECURE_REFERRER_POLICY = None
|
SECURE_REFERRER_POLICY = 'same-origin'
|
||||||
SECURE_SSL_HOST = None
|
SECURE_SSL_HOST = None
|
||||||
SECURE_SSL_REDIRECT = False
|
SECURE_SSL_REDIRECT = False
|
||||||
|
|
|
@ -2395,12 +2395,16 @@ from URL paths, so patterns shouldn't include them, e.g.
|
||||||
|
|
||||||
.. versionadded:: 3.0
|
.. versionadded:: 3.0
|
||||||
|
|
||||||
Default: ``None``
|
Default: ``'same-origin'``
|
||||||
|
|
||||||
If configured, the :class:`~django.middleware.security.SecurityMiddleware` sets
|
If configured, the :class:`~django.middleware.security.SecurityMiddleware` sets
|
||||||
the :ref:`referrer-policy` header on all responses that do not already have it
|
the :ref:`referrer-policy` header on all responses that do not already have it
|
||||||
to the value provided.
|
to the value provided.
|
||||||
|
|
||||||
|
.. versionchanged:: 3.1
|
||||||
|
|
||||||
|
In older versions, the default value is ``None``.
|
||||||
|
|
||||||
.. setting:: SECURE_SSL_HOST
|
.. setting:: SECURE_SSL_HOST
|
||||||
|
|
||||||
``SECURE_SSL_HOST``
|
``SECURE_SSL_HOST``
|
||||||
|
|
|
@ -285,6 +285,19 @@ Requests and Responses
|
||||||
* The new :meth:`.HttpRequest.accepts` method returns whether the request
|
* The new :meth:`.HttpRequest.accepts` method returns whether the request
|
||||||
accepts the given MIME type according to the ``Accept`` HTTP header.
|
accepts the given MIME type according to the ``Accept`` HTTP header.
|
||||||
|
|
||||||
|
.. _whats-new-security-3.1:
|
||||||
|
|
||||||
|
Security
|
||||||
|
~~~~~~~~
|
||||||
|
|
||||||
|
* The :setting:`SECURE_REFERRER_POLICY` setting now defaults to
|
||||||
|
``'same-origin'``. With this configured,
|
||||||
|
:class:`~django.middleware.security.SecurityMiddleware` sets the
|
||||||
|
:ref:`referrer-policy` header to ``same-origin`` on all responses that do not
|
||||||
|
already have it. This prevents the ``Referer`` header being sent to other
|
||||||
|
origins. If you need the previous behavior, explicitly set
|
||||||
|
:setting:`SECURE_REFERRER_POLICY` to ``None``.
|
||||||
|
|
||||||
Serialization
|
Serialization
|
||||||
~~~~~~~~~~~~~
|
~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
@ -452,6 +465,10 @@ Miscellaneous
|
||||||
* Providing a non-local remote field in the :attr:`.ForeignKey.to_field`
|
* Providing a non-local remote field in the :attr:`.ForeignKey.to_field`
|
||||||
argument now raises :class:`~django.core.exceptions.FieldError`.
|
argument now raises :class:`~django.core.exceptions.FieldError`.
|
||||||
|
|
||||||
|
* :setting:`SECURE_REFERRER_POLICY` now defaults to ``'same-origin'``. See the
|
||||||
|
*What's New* :ref:`Security section <whats-new-security-3.1>` above for more
|
||||||
|
details.
|
||||||
|
|
||||||
.. _deprecated-features-3.1:
|
.. _deprecated-features-3.1:
|
||||||
|
|
||||||
Features deprecated in 3.1
|
Features deprecated in 3.1
|
||||||
|
|
|
@ -38,6 +38,7 @@ class TestStartProjectSettings(SimpleTestCase):
|
||||||
self.assertEqual(headers, [
|
self.assertEqual(headers, [
|
||||||
b'Content-Length: 0',
|
b'Content-Length: 0',
|
||||||
b'Content-Type: text/html; charset=utf-8',
|
b'Content-Type: text/html; charset=utf-8',
|
||||||
|
b'Referrer-Policy: same-origin',
|
||||||
b'X-Content-Type-Options: nosniff',
|
b'X-Content-Type-Options: nosniff',
|
||||||
b'X-Frame-Options: DENY',
|
b'X-Frame-Options: DENY',
|
||||||
])
|
])
|
||||||
|
|
Loading…
Reference in New Issue