From 78e99504c7f2e42018abb94edadc1907cd87acc7 Mon Sep 17 00:00:00 2001
From: Fredrik Jonsson <frjo@xdeb.org>
Date: Wed, 18 Dec 2024 10:39:34 +0100
Subject: [PATCH] Update referrer-policy to strict-origin-when-cross-origin,
 remove django-referrer-policy packages, built in to Django 3 and later.

---
 hypha/settings/base.py   | 10 +++-------
 hypha/settings/django.py |  1 -
 pyproject.toml           |  1 -
 requirements/dev.txt     |  2 --
 requirements/prod.txt    |  2 --
 uv.lock                  | 11 -----------
 6 files changed, 3 insertions(+), 24 deletions(-)

diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index f4425b76e7..c6dc140630 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -525,19 +525,15 @@
 SECURE_HSTS_SECONDS = env.int("SECURE_HSTS_SECONDS", None)
 SECURE_BROWSER_XSS_FILTER = env.bool("SECURE_BROWSER_XSS_FILTER", True)
 SECURE_CONTENT_TYPE_NOSNIFF = env.bool("SECURE_CONTENT_TYPE_NOSNIFF", True)
+SECURE_REFERRER_POLICY = env.str(
+    "SECURE_REFERRER_POLICY", "strict-origin-when-cross-origin"
+)
 
 if env.bool("COOKIE_SECURE", False):
     SESSION_COOKIE_SECURE = True
     CSRF_COOKIE_SECURE = True
     ELEVATE_COOKIE_SECURE = True
 
-# Referrer-policy header settings
-# https://django-referrer-policy.readthedocs.io/en/1.0/
-
-REFERRER_POLICY = env.str(
-    "SECURE_REFERRER_POLICY", "no-referrer-when-downgrade"
-).strip()
-
 # Django Elevate settings
 # https://django-elevate.readthedocs.io/en/latest/config/index.html
 
diff --git a/hypha/settings/django.py b/hypha/settings/django.py
index e1d35ed418..1dc222ac05 100644
--- a/hypha/settings/django.py
+++ b/hypha/settings/django.py
@@ -98,7 +98,6 @@
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
-    "django_referrer_policy.middleware.ReferrerPolicyMiddleware",
     "django_otp.middleware.OTPMiddleware",
     "hypha.apply.users.middleware.TwoFactorAuthenticationMiddleware",
     "hijack.middleware.HijackUserMiddleware",
diff --git a/pyproject.toml b/pyproject.toml
index 135af4c14c..f0406bae6a 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -29,7 +29,6 @@ dependencies = [
     "django-nh3~=0.1.1",
     "django-pagedown~=2.2.1",
     "django-ratelimit~=4.1.0",
-    "django-referrer-policy~=1.0",
     "django-role-permissions~=3.2.0",
     "django-select2~=8.2.1",
     "django-slack~=5.19.0",
diff --git a/requirements/dev.txt b/requirements/dev.txt
index c0ea91d2b8..91ebfab1d5 100644
--- a/requirements/dev.txt
+++ b/requirements/dev.txt
@@ -342,8 +342,6 @@ django-phonenumber-field==8.0.0 \
 django-ratelimit==4.1.0 \
     --hash=sha256:555943b283045b917ad59f196829530d63be2a39adb72788d985b90c81ba808b \
     --hash=sha256:d047a31cf94d83ef1465d7543ca66c6fc16695559b5f8d814d1b51df15110b92
-django-referrer-policy==1.0 \
-    --hash=sha256:09e134324fa08c10efc12244a4bae7aee5defa7d332b92c603b09258c854615a
 django-role-permissions==3.2.0 \
     --hash=sha256:5a89eaa098f3da951b4633e655d5f3188f3d6ec5f0b846a8b1690d094ddc6ea6 \
     --hash=sha256:39c4237e9ed2983c0d7fa38bd7f7c4942a04daac739d5be1921efccb074a0606
diff --git a/requirements/prod.txt b/requirements/prod.txt
index 8276235d5a..1cf9390413 100644
--- a/requirements/prod.txt
+++ b/requirements/prod.txt
@@ -265,8 +265,6 @@ django-phonenumber-field==8.0.0 \
 django-ratelimit==4.1.0 \
     --hash=sha256:555943b283045b917ad59f196829530d63be2a39adb72788d985b90c81ba808b \
     --hash=sha256:d047a31cf94d83ef1465d7543ca66c6fc16695559b5f8d814d1b51df15110b92
-django-referrer-policy==1.0 \
-    --hash=sha256:09e134324fa08c10efc12244a4bae7aee5defa7d332b92c603b09258c854615a
 django-role-permissions==3.2.0 \
     --hash=sha256:5a89eaa098f3da951b4633e655d5f3188f3d6ec5f0b846a8b1690d094ddc6ea6 \
     --hash=sha256:39c4237e9ed2983c0d7fa38bd7f7c4942a04daac739d5be1921efccb074a0606
diff --git a/uv.lock b/uv.lock
index 154519e938..539713ffe0 100644
--- a/uv.lock
+++ b/uv.lock
@@ -860,15 +860,6 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/fb/78/2c59b30cd8bc8068d02349acb6aeed5c4e05eb01cdf2107ccd76f2e81487/django_ratelimit-4.1.0-py2.py3-none-any.whl", hash = "sha256:d047a31cf94d83ef1465d7543ca66c6fc16695559b5f8d814d1b51df15110b92", size = 11608 },
 ]
 
-[[package]]
-name = "django-referrer-policy"
-version = "1.0"
-source = { registry = "https://pypi.org/simple" }
-dependencies = [
-    { name = "django" },
-]
-sdist = { url = "https://files.pythonhosted.org/packages/e7/ee/f77e38c1e6e9e79ecabb06b7e542aff7fed6971d583d6c482e3d54dffa85/django-referrer-policy-1.0.tar.gz", hash = "sha256:09e134324fa08c10efc12244a4bae7aee5defa7d332b92c603b09258c854615a", size = 3594 }
-
 [[package]]
 name = "django-role-permissions"
 version = "3.2.0"
@@ -1376,7 +1367,6 @@ dependencies = [
     { name = "django-nh3" },
     { name = "django-pagedown" },
     { name = "django-ratelimit" },
-    { name = "django-referrer-policy" },
     { name = "django-role-permissions" },
     { name = "django-select2" },
     { name = "django-slack" },
@@ -1478,7 +1468,6 @@ requires-dist = [
     { name = "django-nh3", specifier = "~=0.1.1" },
     { name = "django-pagedown", specifier = "~=2.2.1" },
     { name = "django-ratelimit", specifier = "~=4.1.0" },
-    { name = "django-referrer-policy", specifier = "~=1.0" },
     { name = "django-role-permissions", specifier = "~=3.2.0" },
     { name = "django-select2", specifier = "~=8.2.1" },
     { name = "django-slack", specifier = "~=5.19.0" },