From f0a4c3475fef9e954b80a76cccdc87e4f3ddfacb Mon Sep 17 00:00:00 2001
From: Duncan <duncan@vtllf.org>
Date: Sun, 2 Aug 2015 06:51:27 +0300
Subject: [PATCH] Add a no_referrer setting to prevent browsers leaking
 information.

---
 mediagoblin/config_spec.ini                 | 3 +++
 mediagoblin/templates/mediagoblin/base.html | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/mediagoblin/config_spec.ini b/mediagoblin/config_spec.ini
index fd86700a..0a8da73e 100644
--- a/mediagoblin/config_spec.ini
+++ b/mediagoblin/config_spec.ini
@@ -86,6 +86,9 @@ allow_attachments = boolean(default=False)
 # Cookie stuff
 csrf_cookie_name = string(default='mediagoblin_csrftoken')
 
+# Set to true to prevent browsers leaking information through Referrers
+no_referrer = boolean(default=True)
+
 # Push stuff
 push_urls = string_list(default=list())
 
diff --git a/mediagoblin/templates/mediagoblin/base.html b/mediagoblin/templates/mediagoblin/base.html
index ddc38b3e..778cc3f9 100644
--- a/mediagoblin/templates/mediagoblin/base.html
+++ b/mediagoblin/templates/mediagoblin/base.html
@@ -27,6 +27,9 @@
   <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    {% if app_config['no_referrer'] -%}
+      <meta name="referrer" content="no-referrer">
+    {%- endif %}
     <meta http-equiv="X-UA-Compatible" content="IE=Edge">
     <title>{% block title %}{{ app_config['html_title'] }}{% endblock %}</title>
     <link rel="stylesheet" type="text/css"