From 22b6b4bb9f53013d2a4d463a79a5d988c31c8e0e Mon Sep 17 00:00:00 2001
From: Francis Lachapelle <flachapelle@inverse.ca>
Date: Fri, 12 Mar 2021 17:21:13 -0500
Subject: [PATCH] chore(Apache): Don't send the Referer header for cross-origin
 requests

Fixes #5252
---
 Apache/SOGo.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Apache/SOGo.conf b/Apache/SOGo.conf
index 69f421095..11ef15830 100644
--- a/Apache/SOGo.conf
+++ b/Apache/SOGo.conf
@@ -22,6 +22,9 @@ Alias /SOGo/WebServerResources/ \
     </IfModule>
 </Directory>
 
+# Don't send the Referer header for cross-origin requests
+Header always set Referrer-Policy "same-origin"
+
 ## Uncomment the following to enable proxy-side authentication, you will then
 ## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and
 ## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section