From 2a8881c4ca8d9e3632f311055c06706f79493e4e Mon Sep 17 00:00:00 2001 From: Gusted Date: Fri, 16 Jan 2026 00:03:07 +0100 Subject: [PATCH] fix: use `strict-origin` as referrer policy (#10851) - Resolves forgejo/forgejo#10849 - Yes, the referrer policy is causing cross-origin protection to fail. Why? Because someone really cared about privacy, the referrer policy was set to no-referrer. So no `Referrer` HTTP header and `Origin` is either omited or set to `null`, because hey the browser isn't allowed to leak it via that header either. The new cross-origin protection relies on Sec-Fetch metadata to determine if the request is same-origin or not. This metadata is only sent to trustworthy origins, and thus not when you visit Forgejo on your intranet. But the new protection has a fallback to compare the Origin to the Host header... but the Origin header was conviently set to `null` to protect the user's privacy. - We now set the referrer policy to strict-origin, which means only for same-origin requests a Origin header is set. For cross-origin the behavior is unchanged and the user's privacy is preserved. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10851 Reviewed-by: Beowulf Reviewed-by: Michael Kriese Co-authored-by: Gusted Co-committed-by: Gusted --- templates/base/head.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/base/head.tmpl b/templates/base/head.tmpl index 12b41ac922..d31d25db46 100644 --- a/templates/base/head.tmpl +++ b/templates/base/head.tmpl @@ -8,7 +8,7 @@ - + {{if .GoGetImport}}