[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GMG-Devel] [PATCH] Prevent browsers sending referrer headers
From: |
Duncan |
Subject: |
[GMG-Devel] [PATCH] Prevent browsers sending referrer headers |
Date: |
Fri, 24 Jul 2015 13:42:15 +1200 |
Hi MediaGoblin community,
I've got a one-line patch for MediaGoblin but I see that you're having
issues with spam on Trac, maybe discussing here is easier?
This change prevents browsers sending Referrer headers from MediaGoblin.
It fixes the scenario where a user clicks an external link in a
description field or comment, resulting in their browser revealing their
MediaGoblin instance and media URL to that site.
I think this is a safer default because users might not expect to reveal
their private MediaGoblin instance simply by following a link. (For
public instances users might not be concerned either way.)
The meta tag used here is part of the upcoming Referrer Policy spec[1]
and already works in Firefox and Chrome.
Thanks for working on MediaGoblin!
Duncan
[1]: https://w3c.github.io/webappsec/specs/referrer-policy/
---
mediagoblin/templates/mediagoblin/base.html | 1 +
1 file changed, 1 insertion(+)
diff --git a/mediagoblin/templates/mediagoblin/base.html
b/mediagoblin/templates/mediagoblin/base.html
index ddc38b3..a3f9066 100644
--- a/mediagoblin/templates/mediagoblin/base.html
+++ b/mediagoblin/templates/mediagoblin/base.html
@@ -27,6 +27,7 @@
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <meta name="referrer" content="no-referrer">
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<title>{% block title %}{{ app_config['html_title'] }}{% endblock
%}</title>
<link rel="stylesheet" type="text/css"
--
2.4.6
- [GMG-Devel] [PATCH] Prevent browsers sending referrer headers,
Duncan <=