2 files changed, 19 insertions, 4 deletions

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 651c31bad..35d6dd687 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -491,6 +491,11 @@ sub _prevent_unsafe_response {
     }
 }
 
+sub should_block_referrer {
+    my ($self) = @_;
+    return length($self->self_url) > 8000;
+}
+
 # Override header so we can add the cookies in
 sub header {
     my $self = shift;
@@ -570,15 +575,20 @@ sub header {
     # the MIME type away from the declared Content-Type.
     $headers{'-x_content_type_options'} = 'nosniff';
 
-    my $csp = $self->content_security_policy;
-    $csp->add_cgi_headers(\%headers) if defined $csp && !$csp->disable;
-
     Bugzilla::Hook::process('cgi_headers',
         { cgi => $self, headers => \%headers }
     );
     $self->{_header_done} = 1;
 
     if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) {
+        if ($self->should_block_referrer) {
+            $headers{'-referrer_policy'} = 'origin';
+        }
+        my $csp = $self->content_security_policy;
+        if (defined $csp && !$csp->disable) {
+            $csp->add_cgi_headers(\%headers)
+        }
+
         my @fonts = (
             "skins/standard/fonts/FiraMono-Regular.woff2?v=3.202",
             "skins/standard/fonts/FiraSans-Bold.woff2?v=4.203",
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index 04b996e16..428354233 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -98,6 +98,12 @@
       <meta charset="UTF-8">
     [% END %]
 
+    [% IF Bugzilla.cgi.should_block_referrer %]
+      <meta name="referrer" content="origin">
+    [% ELSE %]
+      <meta name="referrer" content="origin-when-crossorigin">
+    [% END %]
+
     [%- js_BUGZILLA = {
             param => {
                 maxusermatches => Param('maxusermatches'),
@@ -206,7 +212,6 @@
     [% IF allow_mobile && is_mobile_browser %]
       <meta name="viewport" content="width=device-width, initial-scale=1">
     [% END %]
-    <meta name="referrer" content="origin-when-crossorigin">
     [% Hook.process("additional_header") %]
   </head>