hypothesis / h / 14069
97%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 0
Run time
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
14069

Pull #3579

travis-ci

Sean Hammond 
Remove referer from groups page links

Ask browsers not to include path part of the URL in the HTTP "Referer"
header in requests sent when clicking on links on the groups page, by
adding a <meta name="referrer" content="origin"> HTML tag to the <head>
of the groups page.

The problem is that some of the links on a group's page - the links to
the documents that the group has annotated - are links to third-party
websites and the values of the Referer header sent to these websites
would be the URLs of the group pages.

If you have the URL of a group's page then you can join the group and
see the group's annotations, and those URLs were being revealed to
anyone with access to the HTTP request logs of the servers of the
annotated documents.

The <meta name="referrer" tag actually asks browsers not to send the
path for _any_ of the links on the page, including links to other pages
of our own hypothes.is website, even though it's only the links to
third-party sites that we don't want to send the path to.

It's possible to add a rel="noreferrer" attribute to individual links,
instead of a <meta name="referrer" tag for the whole page,
but rel="noreferrer" is not as widely supported by browsers as
<meta name="referrer" is (in particular, rel="noreferrer" is not
supported by older versions of Firefox or by any version of Internet
Explorer).

It's also possible to use a
<meta name="referrer" content="origin-when-cross-origin">
tag to tell the browser to only send the path in the Referer when following
links to URLs of the same origin as the current page. But
"origin-when-cross-origin" is not as widely supported by browsers as
"never" (in particular, Edge and Safari don't support it).

Since we're not actually doing anything with the path in the Referer
header when people follow links from the groups page to other pages of
our own site, I judged it better to go for the widest browser support
than to try to only strip the path from the links that we need to strip
i... (continued)
Pull Request #3579:
Jobs
ID Job ID Ran Files Coverage
3 14069.3 (ACTION=gulp GULPTASK=test-app) 0
Travis Job 14069.3
Source Files on build 14069
Detailed source file information is not available for this build.