Piwiks url should not always be visible / spread widely
Since there are some outgoing links e.g. back to organisation where visitors come from within visitorlog, it would be good to hide the referrer (piwiks urls)
<meta name="referrer" content="no-referrer" />
should be enough these days
more complete solutions are
e.g. via js or php are discussed here
Thx, we should add it. I think we already set this for most links (not globally) and sometimes use our proxy to remove the referrer but would be better to also set it globally
rel=noreferrer is already set on the Provider/Org links (so referrer does not leak to these websites).
rel=noreferrer is a good step.
Since it's not support by every browser one may should add some extra levels of forcing it
When we link to external websites where the URL linked to was "user submitted" (for example via the Tracking API referrer website tracking), it's very useful to set rel=noreferrer because it protects us against phishing attacks using the window.opener technique described in https://mathiasbynens.github.io/rel-noopener/#hax - so I'm adding now the component "Security" label to this issue.
just a thought: issues with security label should be handled with some prio... (18month till report now...)