From fe7c570cc9f8ac283618e8f5743c0d72dad6325b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Astori?= <jeremie@astori.fr>
Date: Thu, 6 Apr 2017 02:25:43 -0400
Subject: [PATCH] Use Referrer-Policy header instead of CSP referrer

According to MDN:

> referrer
>   Used to specify information in the referer (sic) header for links away from a page.
>   Use the Referrer-Policy header instead.

See:

- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
---
 src/server.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/server.js b/src/server.js
index 28b35436..846ff78b 100644
--- a/src/server.js
+++ b/src/server.js
@@ -131,7 +131,8 @@ function index(req, res, next) {
 			return css.slice(0, -4);
 		});
 		var template = _.template(file);
-		res.setHeader("Content-Security-Policy", "default-src *; connect-src 'self' ws: wss:; style-src * 'unsafe-inline'; script-src 'self'; child-src 'self'; object-src 'none'; form-action 'none'; referrer no-referrer;");
+		res.setHeader("Content-Security-Policy", "default-src *; connect-src 'self' ws: wss:; style-src * 'unsafe-inline'; script-src 'self'; child-src 'self'; object-src 'none'; form-action 'none';");
+		res.setHeader("Referrer-Policy", "no-referrer");
 		res.setHeader("Content-Type", "text/html");
 		res.writeHead(200);
 		res.end(template(data));