http security: allow referrer-policy to be configured

config/config.exs

@@ -180,7 +180,8 @@
   enabled: true,
   sts: false,
   sts_max_age: 31_536_000,
-  ct_max_age: 2_592_000
+  ct_max_age: 2_592_000,
+  referrer_policy: "same-origin"
 
 config :cors_plug,
   max_age: 86_400,

config/config.md

@@ -86,3 +86,4 @@ This section is used to configure Pleroma-FE, unless ``:managed_config`` in ``:i
 * ``sts``: Whether to additionally send a `Strict-Transport-Security` header
 * ``sts_max_age``: The maximum age for the `Strict-Transport-Security` header if sent
 * ``ct_max_age``: The maximum age for the `Expect-CT` header if sent
+* ``referrer_policy``: The referrer policy to use, either `"same-origin"` or `"no-referrer"`.

lib/pleroma/plugs/http_security_plug.ex

@@ -15,12 +15,14 @@ def call(conn, options) do
   end
 
   defp headers do
+    referrer_policy = Config.get([:http_security, :referrer_policy])
+
     [
       {"x-xss-protection", "1; mode=block"},
       {"x-permitted-cross-domain-policies", "none"},
       {"x-frame-options", "DENY"},
       {"x-content-type-options", "nosniff"},
-      {"referrer-policy", "same-origin"},
+      {"referrer-policy", referrer_policy},
       {"x-download-options", "noopen"},
       {"content-security-policy", csp_string() <> ";"}
     ]

test/plugs/http_security_plug_test.exs

@@ -58,4 +58,20 @@ test "it does not send STS headers when disabled", %{conn: conn} do
     assert Conn.get_resp_header(conn, "strict-transport-security") == []
     assert Conn.get_resp_header(conn, "expect-ct") == []
   end
+
+  test "referrer-policy header reflects configured value", %{conn: conn} do
+    conn =
+      conn
+      |> get("/api/v1/instance")
+
+    assert Conn.get_resp_header(conn, "referrer-policy") == ["same-origin"]
+
+    Config.put([:http_security, :referrer_policy], "no-referrer")
+
+    conn =
+      build_conn()
+      |> get("/api/v1/instance")
+
+    assert Conn.get_resp_header(conn, "referrer-policy") == ["no-referrer"]
+  end
 end