referer: HTML5 browsers no longer leak pad through HTTP referer header

Added `rel="noreferrer"` to automatically generated links in the main pad window as well as the chat window. `rel="noreferrer"` is part of the HTML5 standard. While browser support isn't 100%, it's better than nothing. Future alternative solutions with wider browser support, such as intermediary redirect pages, are unaffected by this change. https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer This commit was originally part of ether#2498
hmdne · Nov 23, 2019 · b42a587 · b42a587
1 parent 14d81ec
commit b42a587
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/src/static/js/domline.js b/src/static/js/domline.js
@@ -198,7 +198,10 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
         {
           href = "http://"+href;
         }
-        extraOpenTags = extraOpenTags + '<a href="' + Security.escapeHTMLAttribute(href) + '">';
+        // Using rel="noreferrer" stops leaking the URL/location of the pad when clicking links in the document.
+        // Not all browsers understand this attribute, but it's part of the HTML5 standard.
+        // http://www.w3.org/TR/html5/links.html#link-type-noreferrer
+        extraOpenTags = extraOpenTags + '<a href="' + Security.escapeHTMLAttribute(href) + '" rel="noreferrer">';
         extraCloseTags = '</a>' + extraCloseTags;
       }
       if (simpleTags)

diff --git a/src/static/js/pad_utils.js b/src/static/js/pad_utils.js
@@ -223,7 +223,10 @@ var padutils = {
         var startIndex = urls[j][0];
         var href = urls[j][1];
         advanceTo(startIndex);
-        pieces.push('<a ', (target ? 'target="' + Security.escapeHTMLAttribute(target) + '" ' : ''), 'href="', Security.escapeHTMLAttribute(href), '">');
+        // Using rel="noreferrer" stops leaking the URL/location of the pad when clicking links in the document.
+        // Not all browsers understand this attribute, but it's part of the HTML5 standard.
+        // http://www.w3.org/TR/html5/links.html#link-type-noreferrer
+        pieces.push('<a ', (target ? 'target="' + Security.escapeHTMLAttribute(target) + '" ' : ''), 'href="', Security.escapeHTMLAttribute(href), '" rel="noreferrer">');
         advanceTo(startIndex + href.length);
         pieces.push('</a>');
       }