Merge pull request #956 from maykinmedia/feature/1944-cors-referrer-s…

…ame-origin 🔒 [#1944] Set default Referrer-Policy to same-origin
maykinmedia · Jan 15, 2024 · 064b45a · 064b45a
2 parents e94e74d + 864f3ab
commit 064b45a
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/src/open_inwoner/conf/base.py b/src/open_inwoner/conf/base.py
@@ -906,5 +906,4 @@
 
 from .app.csp import *  # noqa
 
-SECURE_REFERRER_POLICY = "origin-when-cross-origin"
-# SECURE_REFERRER_POLICY = "same-origin"
+SECURE_REFERRER_POLICY = "same-origin"
diff --git a/src/open_inwoner/pdc/tests/test_product.py b/src/open_inwoner/pdc/tests/test_product.py
@@ -19,6 +19,15 @@
 
 @override_settings(ROOT_URLCONF="open_inwoner.cms.tests.urls")
 class TestPublishedProducts(WebTest):
+    def test_product_referrer_policy_header(self):
+        product = ProductFactory()
+
+        response = self.client.get(
+            reverse("products:product_detail", kwargs={"slug": product.slug})
+        )
+
+        self.assertEqual(response.headers["Referrer-Policy"], "same-origin")
+
     def test_only_published_products_exist_on_categories_page_when_anonymous(self):
         category = CategoryFactory(path="0001", name="First one", slug="first-one")
         product1 = ProductFactory(categories=(category,))

diff --git a/src/open_inwoner/pdc/tests/test_product_form.py b/src/open_inwoner/pdc/tests/test_product_form.py
@@ -0,0 +1,18 @@
+from django.test import TestCase, override_settings
+from django.urls import reverse
+
+from .factories import ProductFactory
+
+
+@override_settings(ROOT_URLCONF="open_inwoner.cms.tests.urls")
+class ProductFormTestCase(TestCase):
+    def test_product_form_referrer_policy_header(self):
+        product = ProductFactory(form="foo")
+
+        response = self.client.get(
+            reverse("products:product_form", kwargs={"slug": product.slug})
+        )
+
+        self.assertEqual(
+            response.headers["Referrer-Policy"], "origin-when-cross-origin"
+        )
diff --git a/src/open_inwoner/pdc/views.py b/src/open_inwoner/pdc/views.py
@@ -234,6 +234,11 @@ class ProductFormView(
     breadcrumb_use_pk = False
     no_list = True
 
+    def dispatch(self, request, *args, **kwargs):
+        response = super().dispatch(request, *args, **kwargs)
+        response.headers["Referrer-Policy"] = "origin-when-cross-origin"
+        return response
+
     def page_title(self):
         return f"{self.object.name} {_('Formulier')}"