django-analytical icon indicating copy to clipboard operation
django-analytical copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Default value for SECURE_REFERRER_POLICY in Django 3.1 breaks Clicky

Open jcassee opened this issue 4 years ago • 2 comments
trafficstars

Django 3.1 has a new default SECURE_REFERRER_POLICY value of same-origin, which hides the referrer from third party sources like Clicky. Clicky depends on the referrer (which, relative to the beacon, is the domain running Django) for domain validation. This breaks the integration by default. See:

https://docs.djangoproject.com/en/3.1/ref/middleware/#referrer-policy https://clicky.com/help/faq/tips/different/domain-validation

Based on my understanding of the Referrer-Policy header documentation, I think these SECURE_REFERRER_POLICY values will break the Clicky integration:

  • no-referrer
  • same-origin

Unfortunately for Clicky, the default setting is same-origin since Django 3.1.

I think we should:

  • Update the Clicky documentation to note that you need to set SECURE_REFERRER_POLICY to any of the supported values.
  • Output a warning if Clicky tags are used and SECURE_REFERRER_POLICY has been set to a value that breaks the integration.

jcassee avatar Jan 21 '21 08:01 jcassee

Yes, just faced with this issue in Django 4.2.1. Set SECURE_REFERRER_POLICY = None

Diemon-zp avatar Sep 28 '23 09:09 Diemon-zp

PR anyone?

bittner avatar Sep 28 '23 14:09 bittner