False Referrer-Policy warning after upgrade to Nextcloud 15

[Nils160988]

Steps to reproduce

1. Log in to your nextcloud with an account with administrative privileges
2. Click on "Overview"

Expected behaviour

No warnings are shown (like in 14.03 pre-upgrade)

Actual behaviour

Referrer-Policy warning shows up, although it has been set to "strict-origin".

This false warning has also been shown with Beta 1 but not for 14.03.
Changing the configuration to the newly implemented same-origin does not make a difference for Beta 2 but for 14.03 since

Server configuration

Operating system: Ubuntu 16.04.5

Web server: Apache/2.4.18

Database: 10.0.36-MariaDB

PHP version: 7.0.32-0ubuntu0.16.04.1

Nextcloud version: 15.0.0 beta 2

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from:

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
Enabled:
  - accessibility: 1.1.0
  - activity: 2.8.2
  - bruteforcesettings: 1.2.0
  - cloud_federation_api: 0.1.0
  - comments: 1.5.0
  - dav: 1.7.2
  - federatedfilesharing: 1.5.0
  - federation: 1.5.0
  - files: 1.10.0
  - files_pdfviewer: 1.4.0
  - files_sharing: 1.7.0
  - files_texteditor: 2.7.0
  - files_trashbin: 1.5.0
  - files_versions: 1.8.0
  - files_videoplayer: 1.4.0
  - firstrunwizard: 2.4.0
  - gallery: 18.2.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.3.0
  - nextcloud_announcements: 1.4.0
  - notifications: 2.3.0
  - oauth2: 1.3.0
  - password_policy: 1.5.0
  - provisioning_api: 1.5.0
  - serverinfo: 1.5.0
  - sharebymail: 1.5.0
  - survey_client: 1.3.0
  - systemtags: 1.5.0
  - theming: 1.6.0
  - twofactor_backupcodes: 1.4.1
  - updatenotification: 1.5.0
  - workflowengine: 1.5.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - support
  - user_external
  - user_ldap
</details>

**Nextcloud configuration:**
<details>
<summary>Config report</summary>

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or

Insert your config.php content here.
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)
{
"system": {
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
XXXXXX"
],
"datadirectory": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "httpsXXXX",
"htaccess.RewriteBase": "/",
"dbtype": "mysql",
"version": "15.0.0.6",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"memcache.local": "\OC\Memcache\APCu",
"mail_smtpmode": "sendmail",
"mail_smtpauthtype": "LOGIN",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_domain": "REMOVED SENSITIVE VALUE",
"updater.release.channel": "beta",
"skeletondirectory": "/var/www/default-files",
"maintenance": false,
"loglevel": 2,
"theme": "",
"updater.secret": "REMOVED SENSITIVE VALUE"
}
}

Are you using external storage, if yes which one: local

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 63.0

Operating system: Ubuntu 18.04.01

[nextcloud-bot]

GitMate.io thinks possibly related issues are #4908 (Problem upgrading NextCloud), #11202 (Nextcloud 14 Upgrade issue. ), #5599 (Contacts duplicate after upgrade to Nextcloud 12.0), #12507 (App Page not available after Upgrade to 15 Beta 2), and #12497 (Update with updater from Nextcloud 15 Beta 1 to Beta 2 not possible).

[Nils160988]

This issue also shows up on another instance after upgrade from 14.03 to 14.04.

[xxKeith20xx]

Just upgraded to 14.04 and found this warning. Once I commented it out from my vhost file, the warning went away:

Apache/2.4.25 (Debian)

# <IfModule mod_headers.c>
#Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
#Header always set Referrer-Policy "no-referrer"
# </IfModule>

I've left the defaults intact in the NextCloud .htaccess:

 grep -ni referrer .htaccess
19:    Header set Referrer-Policy "no-referrer"

Perhaps having both caused a conflict?

[Scindix]

I had this issue as well after upgrading from 14.03 to 14.04. And it was fixed for me as well by removing one of the header directives (either the one in my sites.conf or the one in .htaccess).

While inspecting the issue I found out that setting the directives in two places causes Apache to send the header twice. So Nextcloud probably gets confused when that header is present multiple times.

[Nils160988]

I can confirm that the behavior has been introduced for 14.04 and persists for 15 RC1.

[ncodeyx]

Can confirm this is an issue on Nextcloud 14.04 as well.

[m1d1]

I can confirm @Scindix finding. Identical header settings on two different locations (apache conf file /.htaccess) was causing the trouble.

[J0WI]

See also nextcloud/documentation#674 and #8207

[sruckh]

This is also true for stable 14.0.6 release. Referrer policy is set to no-referrer. The website Security Headers correctly identifies the referrer policy has been configured, but "Security & setup warnings" warning from nextcloud incorrectly reports that referrer policy is not set.