Referrer Suppressor for external links

May 11, 2021
Darko G.

“Referrer Suppressor” which eliminate the browser’s referer is one of my favorite feature in IP Location Block.

It came to this plugin as a logical consequence of WP-ZEP. In this article, I’ll tell you the story.

A possibility of nonce disclosure

A nonce is secret information that can be known only by the user who accesses a certain page at a certain moment. It’s one of the basic and important factors to prevent CSRF or other vulnerability.

Instead of vulnerable plugins, WP-ZEP embeds a nonce into hyperlinks, forms, and ajax calls that have requested to somewhere in the admin area. To keep it secret, WP-ZEP must kill the possibility of disclosing a nonce.

One possibility lies in referer strings that would be left on the page as a footprint you visited via an external hyperlink.

That’s why “Referrer Suppressor” is needed. And as a result, this functionality keeps your admin URL (with some queries) secret while you are in the admin area.

How to suppress a referer?

When a click event is triggered on a hyperlink that has an anchor to the external URL, this plugin opens a new window to redirect to that URL with some extra meta tags.

Meta refresh” is an old school that is not a part of the HTTP standard, but every browser redirects to the specified URL.

<meta http-equiv="refresh" content="0; url=http://example.com/">

On a page including this tag, IE or Firefox does not send the referer to the redirected URL, but Chrome, Safari, or Opera does. So we need a new school, i.e. “Referrer-Policy Delivery”:

<meta name="referrer" content="no-referrer">

or

<a href="http://example.com" rel="noreferrer">

Then the final solution becomes as follows.

<meta name="referrer" content="never" />
<meta name="referrer" content="no-referrer" />
<meta http-equiv="refresh" content="0; url=http://example.com/" />

You can find this in authenticate.js.

Note

The keywords never, default, always are obsolete.

Samples

Please try the following links:

If you find a browser that takes referrer strings to the redirected page when you click Meta refresh + Meta referrer please let me know.

Browser Version Platform Result
Chrome 42.0 OS X 10.9.5 OK
Firefox 37.0 OS X 10.9.5 OK
Safari 7.1.5 OS X 10.9.5 OK
Opera 12.6 OS X 10.9.5 NG
Opera 29.0 OS X 10.9.5 OK
IE8 8.0 Windows 7 OK
IE11 11.0 Windows 7 OK
Android Native 4.0 Android 2.3.5 OK
Mobile Firefox 34.0 Android 2.3.5 OK
Mobile Chrome 42.0 iOS 8.3 OK
Mobile Safari 8.0 iOS 8.3 OK

Leave a Reply

Your email address will not be published.

© 2022 - IP Location Block by IDEOLOGIX Media