frank-fischer-by opened a new issue #16434: URL: https://github.com/apache/airflow/issues/16434
**Description** Properly set [HTTP Security Header `Referrer-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) instead of relying on browser or environment defaults. **Use case / motivation** 1. Airflow in some places has a hard requirement that the `referrer` header is required for navigation/functionality, e.g. [here](https://github.com/apache/airflow/blob/69a1a732a034406967e82a59be6d3c019e94a07b/airflow/www/views.py#L2653). There are numerous places where this header is _not_ needed. 2. I'm deferring to an [external source](https://web.dev/referrer-best-practices/#why-%22explicitly%22) which gives a good overview and makes good arguments why to set it explicitly: > Why "explicitly"? If no referrer policy is set, the browser's default policy will be used - in fact, websites often defer to the browser's default. But this is not ideal, because: > * Browser default policies are either `no-referrer-when-downgrade`, `strict-origin-when-cross-origin`, or stricter - depending on the browser and mode (private/incognito). **So your website won't behave predictably across browsers**. > * Browsers are adopting stricter defaults such as `strict-origin-when-cross-origin` and mechanisms such as referrer trimming for cross-origin requests. Explicitly opting into a privacy-enhancing policy before browser defaults change gives you control and helps you run tests as you see fit. Therefore, we have an implicit coupling to browser's default behaviour. </details> 3. There are (suggested) best-practices like injecting "secure" headers yourself **in case the application does not provide explicit values**. [This example](https://blogs.sap.com/2019/02/11/kubernetes-security-secure-by-default-headers-with-envoy-and-istio/) uses service mesh functionality to set `Referrer-Policy: no-referrer` if the service/pod app does not set something itself. --- → There are three obvious ways to tackle this: 1. Document the "minimum requirement", e.g. explicitly stipulate the lack of support for policies like `Referrer-Policy: no-referrer`. 2. Explicitly set a sane (configurable?) global value, e.g. `strict-origin-when-cross-origin`. 3. Explicitly set specific values, depending on which page the user is (and might go to). **Are you willing to submit a PR?** That depends on the preferred solution 😬. I'm quite new in this area but _might_ be able to tackle solutions 1/2 with some guidance/help. **Related Issues** <!-- Is there currently another issue associated with this? --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
