sourceafSleepSafe::ReferrerPolicyGuard.fan

using afIocConfig::Config
using afBedSheet::HttpRequest
using afBedSheet::HttpResponse

** Guards against internal URL leakage by setting a 'Referrer-Policy' HTTP response header that tells browsers how and when to transmit the HTTP Referer (sic) header.
** 
**   Referrer-Policy: same-origin
** 
** See [Referrer-Policy on MDN]`https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy` for details.
**
**  
** 
** IoC Configuration
** *****************
** 
**   table:
**   afIocConfig Key               Value
**   ----------------------------  ------------
**   'afSleepSafe.referrerPolicy'  Defines when the referrer header should be sent.
**
** Defaults to 'no-referrer, strict-origin-when-cross-origin' which disables referrers for browsers that don't support 'strict-origin-when-cross-origin'. See [Web Security Guidelines]`https://wiki.mozilla.org/Security/Guidelines/Web_Security#Referrer_Policy` for details.
**  
** Example:
** 
**   syntax: fantom 
**   @Contribute { serviceType=ApplicationDefaults# }
**   Void contributeAppDefaults(Configuration config) {
**       config["afSleepSafe.referrerPolicy"] = "no-referrer"
**   }
** 
** To disable, remove this class from the 'SleepSafeMiddleware' configuration:
** 
**   syntax: fantom 
**   @Contribute { serviceType=SleepSafeMiddleware# }
**   Void contributeSleepSafeMiddleware(Configuration config) {
**       config.remove(ReferrerPolicyGuard#)
**   }
** 
const class ReferrerPolicyGuard : Guard {

    @Config private const Str? referrerPolicy
    
    private new make(|This| f) { f(this) }

    @NoDoc
    override const Str protectsAgainst  := "Internal URL Leakage" 

    @NoDoc
    override Str? guard(HttpRequest httpReq, HttpResponse httpRes) {
        httpRes.headers.referrerPolicy = referrerPolicy
        return null
    }
}