[Solved] Restore HTTP Referer inside an app


I’m the developer of GpxPod and GpxEdit. In those two apps, there is a leaflet map which loads external tiles. Leaflet does ajax requests to get them. One of my tiles providers requires an authentication which is done with an API key in the requests URLs and also with the HTTP Referer (to be sure the requests come from a DNS that matches with the API key).

Nextcloud inhibit HTTP Referer and that prevents my apps to send it to the tiles provider.

Is there a way to set the HTTP Referer in Nextcloud config or in my apps implementations ? Or any way at all ?

Nextcloud does not inhibit referrers afaik, what makes you think it does?

In the apps, the HTTP headers sent by leaflet requests don’t have any Referer. In another page, outside Nextcloud, similar requests do have a “Referer” field.

I’m running a freshly installed Nextcloud instance with basic Apache2 config.

Probably CSP then https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/referrer

Adjust your app to allow referrers in that case. AFAIK there are docs for CSP

Thanks for the hint. I discovered that the referrer policy could be set with the HTTP CSP header or with a in html… Changing the CSP does not have any effect, no referrer is sent anyway.

core/templates/layout.*.php files contain :
<meta name="referrer" content="never">
so Nextcloud is actually preventing referrer to be sent and here is the cause.

If i change “never” to “origin” in my Nextcloud instance, it works fine, referrer is sent but it’s a dirty fix.

I’m gonna keep digging to find out if i can modify this only in my apps.

Any idea ?

Ok, solved. Changing the value after page load works.

I did it this way, in case somebody has a similar problem.
In a javascript file loaded in the page which loads the IGN tiles :
$('meta[name=referrer]').attr('content', 'origin');

This way it only affects my apps and not the whole Nextcloud instance.

Thanks again