From f600128203e6319d6f3ce02e2538bf65b0ed01ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9o=20Colombaro?= <git@colombaro.fr>
Date: Wed, 13 Feb 2019 14:31:53 +0100
Subject: [PATCH] Add Referrer-Policy for html document by default

---
 h5bp/basic.conf                    | 1 +
 h5bp/security/referrer-policy.conf | 2 +-
 nginx.conf                         | 6 ++++++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/h5bp/basic.conf b/h5bp/basic.conf
index 24bd863..b8bd24a 100644
--- a/h5bp/basic.conf
+++ b/h5bp/basic.conf
@@ -3,6 +3,7 @@
 
 include h5bp/internet_explorer/x-ua-compatible.conf;
 include h5bp/security/content-security-policy.conf;
+include h5bp/security/referrer-policy.conf.conf;
 include h5bp/security/x-content-type-options.conf;
 include h5bp/security/x-frame-options.conf;
 include h5bp/security/x-xss-protection.conf;
diff --git a/h5bp/security/referrer-policy.conf b/h5bp/security/referrer-policy.conf
index 58136e8..3b85f5c 100644
--- a/h5bp/security/referrer-policy.conf
+++ b/h5bp/security/referrer-policy.conf
@@ -15,4 +15,4 @@
 # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 
-add_header Referrer-Policy "no-referrer-when-downgrade" always;
+add_header Referrer-Policy $referrer_policy always;
diff --git a/nginx.conf b/nginx.conf
index 3ea3dd4..3655b8c 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -115,6 +115,12 @@ http {
     text/html "script-src 'self'; object-src 'self'";
   }
 
+  # Add Referrer-Policy for HTML documents.
+  # h5bp/security/referrer-policy.conf.conf
+  map $sent_http_content_type $referrer_policy {
+    text/html "no-referrer-when-downgrade";
+  }
+
   # Add X-UA-Compatible for HTML documents.
   # h5bp/internet_explorer/x-ua-compatible.conf
   map $sent_http_content_type $x_ua_compatible {