Referrer-Policy: strict-origin-when-cross-origin

Previously, this was set as "same-origin" which will only send a
referrer to Tildes itself. This changes so that it will continue sending
the full referrer to Tildes, but will send only the domain to external
sites if they use HTTPS (and no referer to HTTP ones).

This can be useful because there are often situations where an article
author sees traffic coming from a site and will come to check it out and
be able to participate in the discussion.

salt/salt/nginx/tildes-static-sites.conf.jinja2

@@ -10,7 +10,7 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Xss-Protection "1; mode=block" always;
-    add_header Referrer-Policy "same-origin" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 
     server_name {{ subdomain }}.tildes.net;
 

salt/salt/nginx/tildes.conf.jinja2

@@ -54,7 +54,7 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-Frame-Options "DENY" always;
     add_header X-Xss-Protection "1; mode=block" always;
-    add_header Referrer-Policy "same-origin" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 
     server_name {{ pillar['site_hostname'] }};