# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2017-08-17 08:55:07
# Node ID 5a2a7c7ae11b98ac2bbeedc0e7cb3fe6bbd9c30f
# Parent  2bdf9d4d745da704c51d3e5c1205ff6ef2a31835

security: use no-referrer for outside link to stop leaking potential parameters such
as auth token stored inside GET flags.

- based on hacker-one ticket

diff --git a/rhodecode/templates/base/root.mako b/rhodecode/templates/base/root.mako
--- a/rhodecode/templates/base/root.mako
+++ b/rhodecode/templates/base/root.mako
@@ -28,6 +28,13 @@ c.template_context['default_user'] = {
         <link rel="import" href="${h.asset('js/rhodecode-components.html', ver=c.rhodecode_version_hash)}">
         <title>${self.title()}</title>
         <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
+
+        % if 'safari' in request.user_agent.lower():
+            <meta name="referrer" content="origin">
+        % else:
+            <meta name="referrer" content="origin-when-cross-origin">
+        % endif
+
         <%def name="robots()">
             <meta name="robots" content="index, nofollow"/>
         </%def>