Default value for SECURE_REFERRER_POLICY in Django 3.1 breaks Clicky

[jcassee]

Django 3.1 has a new default SECURE_REFERRER_POLICY value of same-origin, which hides the referrer from third party sources like Clicky. Clicky depends on the referrer (which, relative to the beacon, is the domain running Django) for domain validation. This breaks the integration by default. See:

https://docs.djangoproject.com/en/3.1/ref/middleware/#referrer-policy
https://clicky.com/help/faq/tips/different/domain-validation

Based on my understanding of the Referrer-Policy header documentation, I think these SECURE_REFERRER_POLICY values will break the Clicky integration:

• no-referrer
• same-origin

Unfortunately for Clicky, the default setting is same-origin since Django 3.1.

I think we should:

• Update the Clicky documentation to note that you need to set SECURE_REFERRER_POLICY to any of the supported values.
• Output a warning if Clicky tags are used and SECURE_REFERRER_POLICY has been set to a value that breaks the integration.

[Diemon-zp]

Yes, just faced with this issue in Django 4.2.1.
Set SECURE_REFERRER_POLICY = None

[bittner]

PR anyone?