Use Referrer Policy to prevent referrers from being sent #6147
Labels
Comments
|
BTW you can also add |
|
Seems like a reasonable ask, and sounds easy to do. P3 == a sensible feature that isn't on the team's roadmap right now, but we'd be happy to see it from a community contribution :) |
|
If you look some centimeters/pixels above, I've already opened a PR… 😄 |
eras
added a commit
to eras/matrix-react-sdk
that referenced
this issue
Oct 20, 2019
An alternative fix to element-hq/element-web#6147 which for some reason the PR element-hq/element-web#6155 is not yet merged. The key difference is that the riot-web PR element-hq/element-web#6155 uses HTML meta header for noreferrer, while this one adds the rel-attribute to include the noreferrer keyword in both user-created links as well as links converted from incoming events. I guess it's up to the maintainers then to pick and choose, but please do ;).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I did not check whether you already use a similar mechanism, but it would be great if you can prevent the browser from sending the referrer when they click on a link (a user sent), so it does not leak to the site that the user came from Riot (including the whole URL).
The fix is easy, it's also just another HTTP header or HTML meta tag. So even if you already prevent it in some other way, this is a really safe and small thing and works in all modern browsers, so you should really make use of that.
The text was updated successfully, but these errors were encountered: