Fixed #29406 -- Added support for Referrer-Policy header.

Thanks to James Bennett for the initial implementation.

1 files changed, 33 insertions, 0 deletions

diff --git a/tests/middleware/test_security.py b/tests/middleware/test_security.py
index 86153f19ee..07b72fc73a 100644
--- a/tests/middleware/test_security.py
+++ b/tests/middleware/test_security.py
@@ -222,3 +222,36 @@ class SecurityMiddlewareTest(SimpleTestCase):
         """
         ret = self.process_request("get", "/some/url")
         self.assertIsNone(ret)
+
+    @override_settings(SECURE_REFERRER_POLICY=None)
+    def test_referrer_policy_off(self):
+        """
+        With SECURE_REFERRER_POLICY set to None, the middleware does not add a
+        "Referrer-Policy" header to the response.
+        """
+        self.assertNotIn('Referrer-Policy', self.process_response())
+
+    def test_referrer_policy_on(self):
+        """
+        With SECURE_REFERRER_POLICY set to a valid value, the middleware adds a
+        "Referrer-Policy" header to the response.
+        """
+        tests = (
+            ('strict-origin', 'strict-origin'),
+            ('strict-origin,origin', 'strict-origin,origin'),
+            ('strict-origin, origin', 'strict-origin,origin'),
+            (['strict-origin', 'origin'], 'strict-origin,origin'),
+            (('strict-origin', 'origin'), 'strict-origin,origin'),
+        )
+        for value, expected in tests:
+            with self.subTest(value=value), override_settings(SECURE_REFERRER_POLICY=value):
+                self.assertEqual(self.process_response()['Referrer-Policy'], expected)
+
+    @override_settings(SECURE_REFERRER_POLICY='strict-origin')
+    def test_referrer_policy_already_present(self):
+        """
+        The middleware will not override a "Referrer-Policy" header already
+        present in the response.
+        """
+        response = self.process_response(headers={'Referrer-Policy': 'unsafe-url'})
+        self.assertEqual(response['Referrer-Policy'], 'unsafe-url')