New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hide referrer of outgoing links (e.g. to provider or organisation) #9852
Comments
Thx, we should add it. I think we already set this for most links (not globally) and sometimes use our proxy to remove the referrer but would be better to also set it globally |
Note: the |
rel=noreferrer is a good step. source: https://en.wikipedia.org/wiki/Comparison_of_layout_engines_%28HTML5%29 |
When we link to external websites where the URL linked to was "user submitted" (for example via the Tracking API referrer website tracking), it's very useful to set rel=noreferrer because it protects us against phishing attacks using the window.opener technique described in https://mathiasbynens.github.io/rel-noopener/#hax - so I'm adding now the component "Security" label to this issue. |
just a thought: issues with security label should be handled with some prio... (18month till report now...) |
@Findus23 is this maybe done already re the header etc? |
That's only for the overlay though? By default it would use |
Ah, that's what I missed: I didn't know that |
Piwiks url should not always be visible / spread widely
Since there are some outgoing links e.g. back to organisation where visitors come from within visitorlog, it would be good to hide the referrer (piwiks urls)
adding
<meta name="referrer" content="no-referrer" />
should be enough these days
more complete solutions are
e.g. via js or php are discussed here
https://stackoverflow.com/questions/6428762/hide-referrer-on-click
The text was updated successfully, but these errors were encountered: