From d07b7e37737a22be972df01cf557c5af20675d46 Mon Sep 17 00:00:00 2001
From: Jakub Vrana <jakub@vrana.cz>
Date: Tue, 9 Jan 2018 11:01:37 +0100
Subject: [PATCH] Use Referrer-Policy instead of <meta name="referrer">

To make securityheaders.io happy.

Also fix a typo in the value (https://lists.w3.org/Archives/Public/public-webappsec/2015May/0059.html).
---
 adminer/include/design.inc.php | 2 +-
 plugins/frames.php             | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php
index 2f40866e..f93d81f0 100644
--- a/adminer/include/design.inc.php
+++ b/adminer/include/design.inc.php
@@ -20,7 +20,6 @@ function page_header($title, $error = "", $breadcrumb = array(), $title2 = "") {
 <html lang="<?php echo $LANG; ?>" dir="<?php echo lang('ltr'); ?>">
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <meta name="robots" content="noindex">
-<meta name="referrer" content="origin-when-crossorigin">
 <title><?php echo $title_page; ?></title>
 <link rel="stylesheet" type="text/css" href="../adminer/static/default.css">
 <script src="../adminer/static/functions.js"></script>
@@ -91,6 +90,7 @@ function page_headers() {
 	if ($adminer->headers()) {
 		header("X-Frame-Options: deny"); // ClickJacking protection in IE8, Safari 4, Chrome 2, Firefox 3.6.9
 		header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
+		header("Referrer-Policy: origin-when-cross-origin");
 	}
 }
 
diff --git a/plugins/frames.php b/plugins/frames.php
index bb8519d6..f29b60af 100644
--- a/plugins/frames.php
+++ b/plugins/frames.php
@@ -22,6 +22,7 @@ class AdminerFrames {
 			header("X-Frame-Options: SameOrigin");
 		}
 		header("X-XSS-Protection: 0");
+		header("Referrer-Policy: origin-when-cross-origin");
 		return false;
 	}