Android app didn't send referer

Hello :slight_smile:

I use iframe ton embed external web interfaces into nextcloud (with the “external sites” apps), thoses interfaces are exposed with a nginx reverse proxy with a configuration that allow access only with a valid referer (my nextcloud domain).

Everything work as expected with desktop client (chrome/firefox/edge), but the android application didn’t send a referer (well “-” in fact).

[12/Nov/2020:22:32:51 +0100] "GET /netdata HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.13.1"
[12/Nov/2020:22:34:32 +0100] "GET /netdata HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.13.1"
[12/Nov/2020:22:41:21 +0100] "GET /netdata HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.13.1"
[12/Nov/2020:22:41:37 +0100] "GET /netdata HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Android) Nextcloud-android/3.13.1"

Here is my apache2 configuration to set up the referer :

ServerName my.domain.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/appsdirectory/nextcloud/

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /var/www/apps/nextcloud/>
 Options +FollowSymlinks
 AllowOverride All
 #Specific configuration
 Header always set Referrer-Policy "origin"
 #end of specific configuration
 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /var/www/appsdirectory/nextcloud
 SetEnv HTTP_HOME /var/www/appsdirectory/nextcloud

</Directory>

I try to add the following in .htacces without success :

Header onsuccess unset  Referrer-Policy
Header always set Referrer-Policy "origin"

Do you have any idea ?