-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
change referrer policy. Stop sending referers as much as possible #3636
Conversation
Isn't that what this plugin is for: https://github.com/ether/ep_hide_referrer |
@slel We shouldn’t have to use a plugin to avoid pad’s URLs leaking to third party websites. |
@muxator Would you consider merging this PR for 1.8.0? I think it’s important. |
Personally, I am sensitive to the issue: my Firefox always runs with the referrer disabled, or with Regarding the PR: I would merge it if it was in a more complete form:
|
Gentle bump :) |
@slel It's already an Etherpad semantic to remove the referrers, #3044 has been merged, but Firefox seems to ignore that. This patch made Firefox remove them as well. @muxator Of course, I will work on this patch more, this or next week. I found more places where the referrer may leak later, but this one is the most urgent. |
Added `rel="noreferrer"` to automatically generated links in the main pad window as well as the chat window. `rel="noreferrer"` is part of the HTML5 standard. While browser support isn't 100%, it's better than nothing. Future alternative solutions with wider browser support, such as intermediary redirect pages, are unaffected by this change. https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer This commit was originally part of ether#2498
…er header Exported HTML can, when loaded from disk or an online server, also leak the location. Applying the `rel="noreferrer"` HTML5 standard mitigate the problem for compatible browsers. https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer This commit was originally part of ether#2498
be3314d
to
1dadf56
Compare
Pull request with discussion: ether#3636 What's already there: * meta name=referrer: already done in 1.6.1: ether#3044 https://caniuse.com/#feat=referrer-policy https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1]) The previous two commits I backported in this batch: * a rel=noreferrer: a pull request denied before: ether#2498 https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types (Firefox>=37, I can't find more info about support) This commit adds the following: * a rel=noopener: fixing a not-so-well-known way to extract referer https://html.spec.whatwg.org/multipage/links.html#link-type-noopener (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge) * Referrer-Policy: same-origin: the last bastion of referrer security https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge) meta name=referrer wasn't enough. I happened to leak a few referrers with my Firefox browser, though for some browsers it could have been enough. [1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it most probably incompatible (but I may be wrong on that, they may support both, but I have no way to test it currently). The next Edge release will be based on Chromium, so for that the Chrome version applies.
…sible Pull request with discussion: ether#3636 What's already there: * `meta name=referrer`: already done in 1.6.1: ether#3044 https://caniuse.com/#feat=referrer-policy https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1]) The previous two commits (by @joelpurra) I backported in this batch: * `<a rel=noreferrer>`: a pull request denied before: ether#2498 https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types (Firefox>=37, I can't find more info about support) This commit adds the following: * `<a rel="noopener">`: fixing a not-so-well-known way to extract referer https://html.spec.whatwg.org/multipage/links.html#link-type-noopener (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge) * `Referrer-Policy: same-origin`: the last bastion of referrer security https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge) meta name=referrer wasn't enough. I happened to leak a few referrers with my Firefox browser, though for some browsers it could have been enough. [1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it most probably incompatible (but I may be wrong on that, they may support both, but I have no way to test it currently). The next Edge release will be based on Chromium, so for that the Chrome version applies.
Pull request with discussion: ether#3636 What's already there: * meta name=referrer: already done in 1.6.1: ether#3044 https://caniuse.com/#feat=referrer-policy https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1]) The previous two commits (by @joelpurra) I backported in this batch: * a rel=noreferrer: a pull request denied before: ether#2498 https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types (Firefox>=37, I can't find more info about support) This commit adds the following: * a rel=noopener: fixing a not-so-well-known way to extract referer https://html.spec.whatwg.org/multipage/links.html#link-type-noopener (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge) * Referrer-Policy: same-origin: the last bastion of referrer security https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge) meta name=referrer wasn't enough. I happened to leak a few referrers with my Firefox browser, though for some browsers it could have been enough. [1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it most probably incompatible (but I may be wrong on that, they may support both, but I have no way to test it currently). The next Edge release will be based on Chromium, so for that the Chrome version applies.
1dadf56
to
6fa3103
Compare
I rebased my commit on @joelpurra's work. Below I will paste the content of the commit message, because it is quite informative about the issue and I think it should be more visible to people who will be interested in that issue.
|
Pull request with discussion: ether#3636 What's already there: * `meta name=referrer`: already done in 1.6.1: ether#3044 https://caniuse.com/#feat=referrer-policy https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1]) The previous two commits (by @joelpurra) I backported in this batch: * `<a rel=noreferrer>`: a pull request denied before: ether#2498 https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types (Firefox>=37, I can't find more info about support) This commit adds the following: * `<a rel="noopener">`: fixing a not-so-well-known way to extract referer https://html.spec.whatwg.org/multipage/links.html#link-type-noopener (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge) * `Referrer-Policy: same-origin`: the last bastion of referrer security https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge) meta name=referrer wasn't enough. I happened to leak a few referrers with my Firefox browser, though for some browsers it could have been enough. [1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it most probably incompatible (but I may be wrong on that, they may support both, but I have no way to test it currently). The next Edge release will be based on Chromium, so for that the Chrome version applies.
6fa3103
to
386c65c
Compare
Pull request with discussion: ether#3636 What's already there: * `meta name=referrer`: already done in 1.6.1: ether#3044 https://caniuse.com/#feat=referrer-policy https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1]) The previous two commits (by @joelpurra) I backported in this batch: * `<a rel=noreferrer>`: a pull request denied before: ether#2498 https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types (Firefox>=37, I can't find more info about support) This commit adds the following: * `<a rel="noopener">`: fixing a not-so-well-known way to extract referer https://html.spec.whatwg.org/multipage/links.html#link-type-noopener (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge) * `Referrer-Policy: same-origin`: the last bastion of referrer security https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge) meta name=referrer wasn't enough. I happened to leak a few referrers with my Firefox browser, though for some browsers it could have been enough. [1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it most probably incompatible (but I may be wrong on that, they may support both, but I have no way to test it currently). The next Edge release will be based on Chromium, so for that the Chrome version applies.
386c65c
to
951c44e
Compare
…sible Pull request with discussion: ether#3636 What's already there: * `meta name=referrer`: already done in 1.6.1: ether#3044 https://caniuse.com/#feat=referrer-policy https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1]) The previous two commits (by @joelpurra) I backported in this batch: * `<a rel=noreferrer>`: a pull request denied before: ether#2498 https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types (Firefox>=37, I can't find more info about support) This commit adds the following: * `<a rel="noopener">`: fixing a not-so-well-known way to extract referer https://html.spec.whatwg.org/multipage/links.html#link-type-noopener (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge) * `Referrer-Policy: same-origin`: the last bastion of referrer security https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge) meta name=referrer wasn't enough. I happened to leak a few referrers with my Firefox browser, though for some browsers it could have been enough. [1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it most probably incompatible (but I may be wrong on that, they may support both, but I have no way to test it currently). The next Edge release will be based on Chromium, so for that the Chrome version applies.
951c44e
to
2d9ed8c
Compare
2d9ed8c
to
54e0f2d
Compare
Pulled in, thanks. |
This change augments what was already done in 54e0f2d (PR with discussion at ether#3636). For documentation about the meaning of "noopener, noreferrer", see: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#Window_functionality_features
This change augments what was already done in 54e0f2d (PR with discussion at ether#3636). For documentation about the meaning of "noopener, noreferrer", see: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#Window_functionality_features
This change augments what was already done in 54e0f2d (PR with discussion at #3636). For documentation about the meaning of "noopener, noreferrer", see: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#Window_functionality_features
This change augments what was already done in 54e0f2d (PR with discussion at #3636). For documentation about the meaning of "noopener, noreferrer", see: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#Window_functionality_features
Before this patch I managed to send a bunch of referrers to third party websites with Firefox. Unfortunately, meta name="referrer" isn't enough.
I added "noopener" because that's also what Nextcloud does. One may want to check another pull request from 2015 which may be more complete, but it was denied with a plugin proposal: #2498
References to earlier issues: #1603, #3043