Roundup Tracker - Issues

Issue 2551088

classification
Title: Add norefererer to link representation
Type: security Severity: normal
Components: Web interface Versions: devel
process
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: rouilj
Priority: Keywords: Effort-Low

Created on 2020-08-13 02:57 by rouilj, last changed 2020-08-13 04:14 by rouilj.

Messages
msg6941 Author: [hidden] (rouilj) Date: 2020-08-13 02:57
See: https://html.spec.whatwg.org/multipage/links.html#link-type-
noreferrer

We already use:

  nofollow noopener

for links to reduce the utility of spamming a tracker (nofollow) and
prevent a link opened from a tracker from interacting with the tracker
via the opener handle. Adding noreferrer implements noopener for IE
and also prevents the referer (sic) header from being sent to the
server for the link.

So this is an incremental improvement to what we have.

I don't like loosing the referer header as that could be useful to the
destination web site. But IE won't die.

This is as easy as finding all instances of noopener and adding 
noreferrer.
msg6942 Author: [hidden] (rouilj) Date: 2020-08-13 04:14
Maybe consider adding webmention for embedded urls?

It should be possible to create a reactor that handles
the notification by scanning a new changenote for url's.

If it finds a rel=webmention at the URL it can link from the issue 
(possibly with a fragment to the message) 
Provide a link to the issue.

Details: https://www.w3.org/TR/2017/REC-webmention-20170112/
History
Date User Action Args
2020-08-13 04:14:51rouiljsetmessages: + msg6942
2020-08-13 02:57:34rouiljcreate