From 2033fdbcde682d954830628e05e4c12792526b9c Mon Sep 17 00:00:00 2001
From: Deimos <deimos@tildes.net>
Date: Fri, 22 Mar 2019 14:33:46 -0600
Subject: [PATCH] Referrer-Policy: strict-origin-when-cross-origin

Previously, this was set as "same-origin" which will only send a
referrer to Tildes itself. This changes so that it will continue sending
the full referrer to Tildes, but will send only the domain to external
sites if they use HTTPS (and no referer to HTTP ones).

This can be useful because there are often situations where an article
author sees traffic coming from a site and will come to check it out and
be able to participate in the discussion.
---
 salt/salt/nginx/tildes-static-sites.conf.jinja2 | 2 +-
 salt/salt/nginx/tildes.conf.jinja2              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/salt/nginx/tildes-static-sites.conf.jinja2 b/salt/salt/nginx/tildes-static-sites.conf.jinja2
index f17c0ff..f9d94d7 100644
--- a/salt/salt/nginx/tildes-static-sites.conf.jinja2
+++ b/salt/salt/nginx/tildes-static-sites.conf.jinja2
@@ -10,7 +10,7 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Xss-Protection "1; mode=block" always;
-    add_header Referrer-Policy "same-origin" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 
     server_name {{ subdomain }}.tildes.net;
 
diff --git a/salt/salt/nginx/tildes.conf.jinja2 b/salt/salt/nginx/tildes.conf.jinja2
index c8a5120..45700b9 100644
--- a/salt/salt/nginx/tildes.conf.jinja2
+++ b/salt/salt/nginx/tildes.conf.jinja2
@@ -54,7 +54,7 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-Frame-Options "DENY" always;
     add_header X-Xss-Protection "1; mode=block" always;
-    add_header Referrer-Policy "same-origin" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 
     server_name {{ pillar['site_hostname'] }};