Make referrer-policy configurable (#3614)

#### What type of PR is this? /kind feature /area core #### What this PR does / why we need it: This PR provides a configuration item to control referrer-policy header. Default is `strict-origin-when-cross-origin`. ```yaml halo: security: referrer-options: policy: no-referrer ``` #### Which issue(s) this PR fixes: Fixes https://github.com/halo-dev/halo/issues/3064 #### Does this PR introduce a user-facing change? ```release-note 提供配置以控制站点引用策略（Referrer-Policy） ```
2023-03-29 17:18:13 +08:00 · 2023-03-29 17:18:13 +08:00 · ad6ac87d73
parent b846a05276
commit ad6ac87d73
2 changed files with 14 additions and 2 deletions
--- a/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
+++ b/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@ -1,7 +1,6 @@
 package run.halo.app.config;

 import static org.springframework.security.config.Customizer.withDefaults;
-import static org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN;
 import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;

 import java.util.Set;
@ -96,7 +95,8 @@ public class WebServerSecurityConfig {
                    spec.disable();
                }
            })
-            .referrerPolicy().policy(STRICT_ORIGIN_WHEN_CROSS_ORIGIN).and()
+            .referrerPolicy(
+                spec -> spec.policy(haloProperties.getSecurity().getReferrerOptions().getPolicy()))
            .cache().disable().and()
            .anonymous(spec -> spec.authenticationFilter(
                new HaloAnonymousAuthenticationWebFilter("portal", AnonymousUserConst.PRINCIPAL,
--- a/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java
+++ b/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java
@ -1,6 +1,9 @@
 package run.halo.app.infra.properties;

+import static org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN;
+
 import lombok.Data;
+import org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy;
 import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode;

@Data
@ -10,6 +13,8 @@ public class SecurityProperties {

    private final FrameOptions frameOptions = new FrameOptions();

+    private final ReferrerOptions referrerOptions = new ReferrerOptions();
+
    @Data
    public static class FrameOptions {

@ -18,6 +23,13 @@ public class SecurityProperties {
        private Mode mode = Mode.SAMEORIGIN;
    }

+    @Data
+    public static class ReferrerOptions {
+
+        private ReferrerPolicy policy = STRICT_ORIGIN_WHEN_CROSS_ORIGIN;
+
+    }
+
    @Data
    public static class Initializer {