mediagoblin-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GMG-Devel] [PATCH] Prevent browsers sending referrer headers

From: Duncan
Subject: [GMG-Devel] [PATCH] Prevent browsers sending referrer headers
Date: Fri, 24 Jul 2015 13:42:15 +1200 
Hi MediaGoblin community,

I've got a one-line patch for MediaGoblin but I see that you're having
issues with spam on Trac, maybe discussing here is easier?

This change prevents browsers sending Referrer headers from MediaGoblin.
It fixes the scenario where a user clicks an external link in a
description field or comment, resulting in their browser revealing their
MediaGoblin instance and media URL to that site.

I think this is a safer default because users might not expect to reveal
their private MediaGoblin instance simply by following a link. (For
public instances users might not be concerned either way.)

The meta tag used here is part of the upcoming Referrer Policy spec[1]
and already works in Firefox and Chrome.

Thanks for working on MediaGoblin!

Duncan

[1]: https://w3c.github.io/webappsec/specs/referrer-policy/

---
 mediagoblin/templates/mediagoblin/base.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mediagoblin/templates/mediagoblin/base.html 
b/mediagoblin/templates/mediagoblin/base.html
index ddc38b3..a3f9066 100644
--- a/mediagoblin/templates/mediagoblin/base.html
+++ b/mediagoblin/templates/mediagoblin/base.html
@@ -27,6 +27,7 @@
   <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta name="referrer" content="no-referrer">
     <meta http-equiv="X-UA-Compatible" content="IE=Edge">
     <title>{% block title %}{{ app_config['html_title'] }}{% endblock 
%}</title>
     <link rel="stylesheet" type="text/css"
-- 
2.4.6
reply via email to
[Prev in Thread] Current Thread [Next in Thread]