I have Debian 12 with gitit 0.15.1.0+dfsg-2+b6 and nginx 1.22.1-9 (doing proxy_pass http://127.0.0.1:5001/).
I was messing with https://infosec.mozilla.org/guidelines/web_security.html#referrer-policy
I found that with add_header Referrer-Policy no-referrer always; in nginx.conf,
when I tried to logout, the /_logout URL returned a 303 redirect back to itself.
This happened over and over until Firefox reached a redirect limit.
It looks like add_header Referrer-Policy same-origin always; does not exhibit this issue.
I think if there is no Referer, _logout should redirect to / rather than itself?
I have Debian 12 with gitit 0.15.1.0+dfsg-2+b6 and nginx 1.22.1-9 (doing
proxy_pass http://127.0.0.1:5001/
). I was messing with https://infosec.mozilla.org/guidelines/web_security.html#referrer-policy I found that withadd_header Referrer-Policy no-referrer always;
in nginx.conf, when I tried to logout, the /_logout URL returned a 303 redirect back to itself. This happened over and over until Firefox reached a redirect limit. It looks likeadd_header Referrer-Policy same-origin always;
does not exhibit this issue.I think if there is no
Referer
,_logout
should redirect to/
rather than itself?I looked at https://github.com/jgm/gitit/blob/0.15.1.0/src/Network/Gitit/Authentication.hs#L404-L415 but I'm not immediately sure what ought to go in the
dest <-
to implement "there is no referer".This is a weird edge case, so I don't mind if you just say "so, don't do that" and close this ticket :-)