From fbe17a7386ff6d917f0488d54808ae2b8ec96d12 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Gerg=C5=91=20Tisza?= Date: Sat, 23 Dec 2017 09:35:59 -0800 Subject: [PATCH] Allow fallbacks for $wgReferrerPolicy For browsers that support older versions of the Referrer Policy specification (Edge and Safari), using a value from a newer version of the specification will result in those browsers falling back to a default of "default". So allow $wgReferrerPolicy to have fallbacks if the browser does not recognize the currently set value. It will emit tags for each value in the array, but in reverse order, as browsers will use the last one that they recognize. Bug: T180921 Change-Id: Ie0f523fc6937c9ecffc8a6fc791c6b54d5a1cb06 --- RELEASE-NOTES-1.31 | 2 ++ includes/DefaultSettings.php | 8 ++++++-- includes/OutputPage.php | 12 ++++++++---- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31 index 1a1a9f71e6..aa8e5f4515 100644 --- a/RELEASE-NOTES-1.31 +++ b/RELEASE-NOTES-1.31 @@ -19,6 +19,8 @@ production. maintenance/cleanupUsersWithNoId.php. * $wgResourceLoaderMinifierStatementsOnOwnLine and $wgResourceLoaderMinifierMaxLineLength were removed (deprecated since 1.27). +* (T180921) $wgReferrerPolicy now supports having fallbacks for browsers that are not + using the latest version of the Referrer Policy specification. === New features in 1.31 === * Wikimedia\Rdbms\IDatabase->select() and similar methods now support diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index d0a02de05b..163e253fca 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -316,7 +316,7 @@ $wgAppleTouchIcon = false; /** * Value for the referrer policy meta tag. - * One of the values defined in the Referrer Policy specification: + * One or more of the values defined in the Referrer Policy specification: * https://w3c.github.io/webappsec-referrer-policy/ * ('no-referrer', 'no-referrer-when-downgrade', 'same-origin', * 'origin', 'strict-origin', 'origin-when-cross-origin', @@ -324,8 +324,12 @@ $wgAppleTouchIcon = false; * Setting it to false prevents the meta tag from being output * (which results in falling back to the Referrer-Policy header, * or 'no-referrer-when-downgrade' if that's not set either.) + * Setting it to an array (supported since 1.31) will create a meta tag for + * each value, in the reverse of the order (meaning that the first array element + * will be the default and the others used as fallbacks for browsers which do not + * understand it). * - * @var string|bool + * @var array|string|bool * @since 1.25 */ $wgReferrerPolicy = false; diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 92963fd18b..9cf94d866e 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -3331,10 +3331,14 @@ class OutputPage extends ContextSource { ] ); if ( $config->get( 'ReferrerPolicy' ) !== false ) { - $tags['meta-referrer'] = Html::element( 'meta', [ - 'name' => 'referrer', - 'content' => $config->get( 'ReferrerPolicy' ) - ] ); + // Per https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values + // fallbacks should come before the primary value so we need to reverse the array. + foreach ( array_reverse( (array)$config->get( 'ReferrerPolicy' ) ) as $i => $policy ) { + $tags["meta-referrer-$i"] = Html::element( 'meta', [ + 'name' => 'referrer', + 'content' => $policy, + ] ); + } } $p = "{$this->mIndexPolicy},{$this->mFollowPolicy}"; -- 2.20.1