“Referrer Suppressor” which eliminate the browser’s referer is one of my favorite feature in IP Location Block.
It came to this plugin as a logical consequence of WP-ZEP. In this article, I’ll tell you the story.
A possibility of nonce disclosure
A nonce is secret information that can be known only by the user who accesses a certain page at a certain moment. It’s one of the basic and important factors to prevent CSRF or other vulnerability.
Instead of vulnerable plugins, WP-ZEP embeds a nonce into hyperlinks, forms, and ajax calls that have requested to somewhere in the admin area. To keep it secret, WP-ZEP must kill the possibility of disclosing a nonce.
One possibility lies in referer strings that would be left on the page as a footprint you visited via an external hyperlink.
That’s why “Referrer Suppressor” is needed. And as a result, this functionality keeps your admin URL (with some queries) secret while you are in the admin area.
How to suppress a referer?
When a click event is triggered on a hyperlink that has an anchor to the external URL, this plugin opens a new window to redirect to that URL with some extra meta tags.
“Meta refresh” is an old school that is not a part of the HTTP standard, but every browser redirects to the specified URL.
On a page including this tag, IE or Firefox does not send the referer to the redirected URL, but Chrome, Safari, or Opera does. So we need a new school, i.e. “Referrer-Policy Delivery”:
Then the final solution becomes as follows.
You can find this in authenticate.js.
always are obsolete.
Please try the following links:
If you find a browser that takes referrer strings to the redirected page when you click
|Chrome||42.0||OS X 10.9.5||OK|
|Firefox||37.0||OS X 10.9.5||OK|
|Safari||7.1.5||OS X 10.9.5||OK|
|Opera||12.6||OS X 10.9.5||NG|
|Opera||29.0||OS X 10.9.5||OK|
|Android Native||4.0||Android 2.3.5||OK|
|Mobile Firefox||34.0||Android 2.3.5||OK|
|Mobile Chrome||42.0||iOS 8.3||OK|
|Mobile Safari||8.0||iOS 8.3||OK|