@hpvd opened this issue on February 25th 2016

Piwiks url should not always be visible / spread widely

Since there are some outgoing links e.g. back to organisation where visitors come from within visitorlog, it would be good to hide the referrer (piwiks urls)

adding <meta name="referrer" content="no-referrer" /> should be enough these days

more complete solutions are e.g. via js or php are discussed here https://stackoverflow.com/questions/6428762/hide-referrer-on-click

@tsteur commented on February 25th 2016

Thx, we should add it. I think we already set this for most links (not globally) and sometimes use our proxy to remove the referrer but would be better to also set it globally

@mattab commented on March 31st 2016

Note: the rel=noreferrer is already set on the Provider/Org links (so referrer does not leak to these websites).

@hpvd commented on March 31st 2016

rel=noreferrer is a good step. Since it's not support by every browser one may should add some extra levels of forcing it


source: https://en.wikipedia.org/wiki/Comparison_of_layout_engines_%28HTML5%29

@mattab commented on November 20th 2016

When we link to external websites where the URL linked to was "user submitted" (for example via the Tracking API referrer website tracking), it's very useful to set rel=noreferrer because it protects us against phishing attacks using the window.opener technique described in https://mathiasbynens.github.io/rel-noopener/#hax - so I'm adding now the component "Security" label to this issue.

@hpvd commented on September 14th 2017

just a thought: issues with security label should be handled with some prio... (18month till report now...)

Powered by GitHub Issue Mirror