Merge pull request #11722 from owncloud/feat/no-referrer

LukasHirt · web-flow · commit 1f5cbe4669ec · 2025-10-27T10:18:38.000+01:00
feat(proxy): [OCISDEV-342] set referrer-policy to no-referrer
diff --git a/changelog/unreleased/enhancement-set-referrer-policy-to-no-referrer.md b/changelog/unreleased/enhancement-set-referrer-policy-to-no-referrer.md
@@ -0,0 +1,11 @@
+Enhancement: Set Referrer-Policy to no-referrer
+
+Change the Referrer-Policy from 'strict-origin-when-cross-origin'
+to 'no-referrer' to enhance user privacy and security.
+
+Previously, the origin was sent on cross-origin requests. This change
+completely removes the Referrer header from all outgoing requests,
+preventing any potential leakage of browsing information to third parties.
+This is a more robust approach to protecting user privacy.
+
+https://github.com/owncloud/ocis/pull/11722
diff --git a/services/proxy/pkg/middleware/security.go b/services/proxy/pkg/middleware/security.go
@@ -59,7 +59,7 @@ func Security(cspConfig *config.CSP) func(h http.Handler) http.Handler {
 		ContentTypeNosniff:           true,
 		CustomFrameOptionsValue:      "SAMEORIGIN",
 		FrameDeny:                    true,
-		ReferrerPolicy:               "strict-origin-when-cross-origin",
+		ReferrerPolicy:               "no-referrer",
 		STSSeconds:                   315360000,
 		STSIncludeSubdomains:         true,
 		STSPreload:                   true,
