Mobile app version of vmapp.org
Login or Join
Karen161

: Prevent sending referrers when clicking links from my site with an exception for one domain Let's admit that, for security / privacy reasons, I want to globally set my referrer policy to be

@Karen161

Posted in: #ContentSecurityPolicy #PrivacyPolicy #Referrer

Let's admit that, for security / privacy reasons, I want to globally set my referrer policy to be "no-referrer".

For instance, using Apache's .htaccess's

Header always set Referrer-Policy no-referrer


IIS' web.config's

<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Referrer-Policy" value="no-referrer" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>


etc., etc. In other words, I want this policy to be globally enforced, for every single webpage.

However, for one particular domain (say validator.w3.org/), I'd like to send the referrer (for instance, to use the convenient url validator.w3.org/check?uri=referer).
I could use the experimental referrerpolicy attribute of links, but I don't know how well is that attribute supported. I don't know either if such an attribute can override the setting of the server.

The link type 'norefferer' attribute seems to be well supported, but I want to achieve the opposite!

How could I globally disallow the referer to be sent, except for links pointing to a particular domain?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Karen161

2 Comments

Sorted by latest first Latest Oldest Best

 

@Jennifer507

Method 2

Following the concept of method 1 (below), I realised this could probably be done with just one technology and without reloading the current page. It's all done client side with plain javascript.

<!DOCTYPE html>
<head>
</head>
<body>
<a href="https://validator.w3.org" id="allowReferrer">Link that you do want to allow referrer to be passed to</a>
<a href="http://w3.org">Link that you don't want referrer to be passed to</a>

<script>
document.getElementById('allowReferrer').addEventListener('click', function(e){
e.preventDefault();
var metaRef = document.createElement("meta");
metaRef.setAttribute("name", "referrer");
metaRef.setAttribute("content", "origin");
document.head.appendChild(metaRef);
window.location.href=this.href;
});
</script>
</body>
</html>


(This code can definitely be improved - its just a proof of concept.)

Esentially there is an event listener on the allowReferrer ID which when triggered prevents the link to be followed, adds the referrer = origin meta tag to the head, then follows the link. Much tidier than method 1.

Method 1

I've just tested a rather convoluted solution, but its the only solution I can think of, and it did work.

<!DOCTYPE html>
<head>
<?php
if ($_GET["referrer"] == "true") {
echo '<meta name="referrer" content="origin">';
echo '<script>window.location.href = "'.$_GET["location"].'";</script>';
} else {
echo '<meta name="referrer" content="no-referrer">';
}
?>
</head>
<body>
<a href="http://example.com/?referrer=true&location=https%3A%2F%2Fvalidator.w3.org">Link that you do want to allow referrer to be passed to</a>
<a href="http://google.com">Link that you don't want referrer to be passed to</a>
</body>
</html>


(This code can definitely be improved - its just a proof of concept.)

When the page loads it looks for a query parameter called 'refferer', if that is not set to "true" then the referrer meta tag is set to 'no-refferer', but if it is set to "true" then the referrer meta tag is set to 'origin' and javascript is executed to redirect you to a location held in second query parameter called 'location'.

All links will normally be followed without passing any referrer information. If you want a link to allow the referrer to be passed, then you would create your link as

[current URL]?referrer=true&location=[link which should be url encoded]

for example
example.com/test/some-page.php?referrer=true&location=https%3A%2F%2Fvalidator.w3.org
Its definitely not pretty, but until there is good support for the referrerpolicy attribute on the anchor tags, it might be the only way. Before using this solution, I would urge you to ask yourself how important it is that you have this functionality, and is it worth it?

10% popularity Vote Up Vote Down


 

@Looi9037786

You can try in this way, although I am not sure if it's widely supported

<a href="#link" rel="referrer dofollow">link</a>

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme