Don't set a Referrer-Policy. We're not hosting anything which is likely to be particularly privacy sensitive, so we'd ideally tell browsers to make their own decision. Unfortunately there doesn't seem to be a way to do that. In theory returning an empty value should work, however there doesn't seem to be way to tell nginx to do so.
Summary
Don't set a Referrer-Policy. We're not hosting anything which is likely to be particularly privacy sensitive, so we'd ideally tell browsers to make their own decision. Unfortunately there doesn't seem to be a way to do that. In theory returning an empty value should work, however there doesn't seem to be way to tell
nginxto do so.Code review
Testing
Already applied, PR for visibility.