Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hide referrer of outgoing links (e.g. to provider or organisation) #9852

Closed
hpvd opened this issue Feb 25, 2016 · 9 comments
Closed

hide referrer of outgoing links (e.g. to provider or organisation) #9852

hpvd opened this issue Feb 25, 2016 · 9 comments
Labels
c: Privacy For issues that impact or improve the privacy. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Milestone
Backlog (Help wan...

Comments

@hpvd
Copy link

hpvd commented Feb 25, 2016

Piwiks url should not always be visible / spread widely

Since there are some outgoing links e.g. back to organisation where visitors come from within visitorlog, it would be good to hide the referrer (piwiks urls)

adding
<meta name="referrer" content="no-referrer" />
should be enough these days

more complete solutions are
e.g. via js or php are discussed here
https://stackoverflow.com/questions/6428762/hide-referrer-on-click
@hpvd hpvd changed the title hide referrer of outgoing links (e.g. to provider) hide referrer of outgoing links (e.g. to provider or organisation) Feb 25, 2016
@tsteur tsteur added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. labels Feb 25, 2016
@tsteur
Copy link
Member

tsteur commented Feb 25, 2016

Thx, we should add it. I think we already set this for most links (not globally) and sometimes use our proxy to remove the referrer but would be better to also set it globally

@tsteur tsteur added the c: Privacy For issues that impact or improve the privacy. label Feb 25, 2016
@mattab
Copy link
Member

mattab commented Mar 31, 2016

Note: the rel=noreferrer is already set on the Provider/Org links (so referrer does not leak to these websites).

@mattab mattab added this to the Mid term milestone Mar 31, 2016
@hpvd
Copy link
Author

hpvd commented Mar 31, 2016

rel=noreferrer is a good step.
Since it's not support by every browser one may should add some extra levels of forcing it

See:
2016-03-31_12h39_08

source: https://en.wikipedia.org/wiki/Comparison_of_layout_engines_%28HTML5%29

@mattab
Copy link
Member

mattab commented Nov 20, 2016

When we link to external websites where the URL linked to was "user submitted" (for example via the Tracking API referrer website tracking), it's very useful to set rel=noreferrer because it protects us against phishing attacks using the window.opener technique described in https://mathiasbynens.github.io/rel-noopener/#hax - so I'm adding now the component "Security" label to this issue.

@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Nov 20, 2016
@hpvd
Copy link
Author

hpvd commented Sep 14, 2017

just a thought: issues with security label should be handled with some prio... (18month till report now...)

@tsteur
Copy link
Member

tsteur commented Aug 17, 2021
edited

@Findus23 is this maybe done already re the header etc?

@Findus23
Copy link
Member

@tsteur After #17842 this is un-done again as we would need to find a way to add noreferrer to every single link if we don't want to use the header

@tsteur
Copy link
Member

tsteur commented Aug 19, 2021

That's only for the overlay though? By default it would use Common::sendHeader('Referrer-Policy: same-origin');

@Findus23
Copy link
Member

Ah, that's what I missed: I didn't know that this->useStrictReferrerPolicy is true everywhere except for the overlay.
In that case I think the issue is solved.

@tsteur tsteur closed this as completed Aug 19, 2021
@tsteur tsteur added the not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. label Aug 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Privacy For issues that impact or improve the privacy. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
4 participants
@tsteur @mattab @hpvd @Findus23