From 428939be9f954d39b0c41bc53d85d0d106b9d1a1 Mon Sep 17 00:00:00 2001
From: Guillermo Iguaran <guilleiguaran@gmail.com>
Date: Mon, 8 Jan 2018 22:14:22 -0500
Subject: Add 'Referrer-Policy' header to default headers set

---
 actionpack/CHANGELOG.md                   | 4 ++++
 actionpack/lib/action_dispatch/railtie.rb | 3 ++-
 actionpack/test/dispatch/response_test.rb | 6 ++++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 2519eb4e2c..a952eade08 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Add `Referrer-Policy` header to default headers set.
+
+    *Guillermo Iguaran*
+
 *   Changed the system tests to set Puma as default server only when the
     user haven't specified manually another server.
 
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 95e99987a0..eb6fbca6ba 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -28,7 +28,8 @@ module ActionDispatch
       "X-XSS-Protection" => "1; mode=block",
       "X-Content-Type-Options" => "nosniff",
       "X-Download-Options" => "noopen",
-      "X-Permitted-Cross-Domain-Policies" => "none"
+      "X-Permitted-Cross-Domain-Policies" => "none",
+      "Referrer-Policy" => "strict-origin-when-cross-origin"
     }
 
     config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
diff --git a/actionpack/test/dispatch/response_test.rb b/actionpack/test/dispatch/response_test.rb
index 4e350162c9..0b727dad3d 100644
--- a/actionpack/test/dispatch/response_test.rb
+++ b/actionpack/test/dispatch/response_test.rb
@@ -311,7 +311,7 @@ class ResponseTest < ActiveSupport::TestCase
     end
   end
 
-  test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies" do
+  test "read x_frame_options, x_content_type_options, x_xss_protection, x_download_options and x_permitted_cross_domain_policies, referrer_policy" do
     original_default_headers = ActionDispatch::Response.default_headers
     begin
       ActionDispatch::Response.default_headers = {
@@ -319,7 +319,8 @@ class ResponseTest < ActiveSupport::TestCase
         "X-Content-Type-Options" => "nosniff",
         "X-XSS-Protection" => "1;",
         "X-Download-Options" => "noopen",
-        "X-Permitted-Cross-Domain-Policies" => "none"
+        "X-Permitted-Cross-Domain-Policies" => "none",
+        "Referrer-Policy" => "strict-origin-when-cross-origin"
       }
       resp = ActionDispatch::Response.create.tap { |response|
         response.body = "Hello"
@@ -331,6 +332,7 @@ class ResponseTest < ActiveSupport::TestCase
       assert_equal("1;", resp.headers["X-XSS-Protection"])
       assert_equal("noopen", resp.headers["X-Download-Options"])
       assert_equal("none", resp.headers["X-Permitted-Cross-Domain-Policies"])
+      assert_equal("strict-origin-when-cross-origin", resp.headers["Referrer-Policy"])
     ensure
       ActionDispatch::Response.default_headers = original_default_headers
     end
-- 
cgit v1.2.3