@hpvd opened this Issue on February 25th 2016

Piwiks url should not always be visible / spread widely

Since there are some outgoing links e.g. back to organisation where visitors come from within visitorlog, it would be good to hide the referrer (piwiks urls)

adding
<meta name="referrer" content="no-referrer" />
should be enough these days

more complete solutions are
e.g. via js or php are discussed here
https://stackoverflow.com/questions/6428762/hide-referrer-on-click

@tsteur commented on February 25th 2016 Owner

Thx, we should add it. I think we already set this for most links (not globally) and sometimes use our proxy to remove the referrer but would be better to also set it globally

@mattab commented on March 31st 2016 Owner

Note: the rel=noreferrer is already set on the Provider/Org links (so referrer does not leak to these websites).

@hpvd commented on March 31st 2016

rel=noreferrer is a good step.
Since it's not support by every browser one may should add some extra levels of forcing it

See:
2016-03-31_12h39_08

source: https://en.wikipedia.org/wiki/Comparison_of_layout_engines_%28HTML5%29

@mattab commented on November 20th 2016 Owner

When we link to external websites where the URL linked to was "user submitted" (for example via the Tracking API referrer website tracking), it's very useful to set rel=noreferrer because it protects us against phishing attacks using the window.opener technique described in https://mathiasbynens.github.io/rel-noopener/#hax - so I'm adding now the component "Security" label to this issue.

@hpvd commented on September 14th 2017

just a thought: issues with security label should be handled with some prio... (18month till report now...)

Powered by GitHub Issue Mirror