[Fixes #12402] Adopt strict-origin-when-cross-origin Referrer Policy …

…as default (#12403) (#12404)

* Referre poicy strict-origin-when-cross-origin as default

* adapt proxy tests to adapt to new referrer policy

(cherry picked from commit 8bb5eda)

Co-authored-by: Giovanni Allegri <[email protected]>

geonode/proxy/tests.py

@@ -214,7 +214,7 @@ class Response:
                 "Vary": "Authorization, Accept-Language, Cookie, origin",
                 "X-Content-Type-Options": "nosniff",
                 "X-XSS-Protection": "1; mode=block",
-                "Referrer-Policy": "same-origin",
+                "Referrer-Policy": "strict-origin-when-cross-origin",
                 "Cross-Origin-Opener-Policy": "same-origin",
                 "X-Frame-Options": "SAMEORIGIN",
                 "Content-Language": "en",
@@ -236,7 +236,7 @@ class Response:
                 "Vary": "Authorization, Accept-Language, Cookie, origin",
                 "X-Content-Type-Options": "nosniff",
                 "X-XSS-Protection": "1; mode=block",
-                "Referrer-Policy": "same-origin",
+                "Referrer-Policy": "strict-origin-when-cross-origin",
                 "X-Frame-Options": "SAMEORIGIN",
                 "Content-Language": "en-us",
                 "Content-Length": "119",

geonode/settings.py

@@ -848,6 +848,7 @@
 SECURE_SSL_REDIRECT = ast.literal_eval(os.environ.get("SECURE_SSL_REDIRECT", "False"))
 SECURE_HSTS_SECONDS = int(os.getenv("SECURE_HSTS_SECONDS", "3600"))
 SECURE_HSTS_INCLUDE_SUBDOMAINS = ast.literal_eval(os.environ.get("SECURE_HSTS_INCLUDE_SUBDOMAINS", "True"))
+SECURE_REFERRER_POLICY = os.environ.get("SECURE_REFERRER_POLICY", "strict-origin-when-cross-origin")
 
 # Replacement of the default authentication backend in order to support
 # permissions per object.