“Referrer Suppressor” which eliminate the browser’s referer is one of my favorite feature in IP Location Block.
It came to this plugin as a logical consequence of WP-ZEP. In this article, I’ll tell you the story.
A possibility of nonce disclosure
A nonce is secret information that can be known only by the user who accesses a certain page at a certain moment. It’s one of the basic and important factors to prevent CSRF or other vulnerability.
Instead of vulnerable plugins, WP-ZEP embeds a nonce into hyperlinks, forms, and ajax calls that have requested to somewhere in the admin area. To keep it secret, WP-ZEP must kill the possibility of disclosing a nonce.
One possibility lies in referer strings that would be left on the page as a footprint you visited via an external hyperlink.
That’s why “Referrer Suppressor” is needed. And as a result, this functionality keeps your admin URL (with some queries) secret while you are in the admin area.
How to suppress a referer?
When a click event is triggered on a hyperlink that has an anchor to the external URL, this plugin opens a new window to redirect to that URL with some extra meta tags.
“Meta refresh” is an old school that is not a part of the HTTP standard, but every browser redirects to the specified URL.
<meta http-equiv="refresh" content="0; url=http://example.com/">On a page including this tag, IE or Firefox does not send the referer to the redirected URL, but Chrome, Safari, or Opera does. So we need a new school, i.e. “Referrer-Policy Delivery”:
<meta name="referrer" content="no-referrer">or
<a href="http://example.com" rel="noreferrer">Then the final solution becomes as follows.
<meta name="referrer" content="never" />
<meta name="referrer" content="no-referrer" />
<meta http-equiv="refresh" content="0; url=http://example.com/" />You can find this in authenticate.js.
Note
The keywords never, default, always are obsolete.
Samples
Please try the following links:
If you find a browser that takes referrer strings to the redirected page when you click Meta refresh + Meta referrer
please let me know.
| Browser | Version | Platform | Result |
|---|---|---|---|
| Chrome | 42.0 | OS X 10.9.5 | OK |
| Firefox | 37.0 | OS X 10.9.5 | OK |
| Safari | 7.1.5 | OS X 10.9.5 | OK |
| Opera | 12.6 | OS X 10.9.5 | NG |
| Opera | 29.0 | OS X 10.9.5 | OK |
| IE8 | 8.0 | Windows 7 | OK |
| IE11 | 11.0 | Windows 7 | OK |
| Android Native | 4.0 | Android 2.3.5 | OK |
| Mobile Firefox | 34.0 | Android 2.3.5 | OK |
| Mobile Chrome | 42.0 | iOS 8.3 | OK |
| Mobile Safari | 8.0 | iOS 8.3 | OK |