Referrer Suppressor for external links

“Referrer Suppressor” which eliminate the browser’s referer is one of my favorite feature in IP Location Block.

It came to this plugin as a logical consequence of WP-ZEP. In this article, I’ll tell you the story.

A possibility of nonce disclosure

A nonce is secret information that can be known only by the user who accesses a certain page at a certain moment. It’s one of the basic and important factors to prevent CSRF or other vulnerability.

Instead of vulnerable plugins, WP-ZEP embeds a nonce into hyperlinks, forms, and ajax calls that have requested to somewhere in the admin area. To keep it secret, WP-ZEP must kill the possibility of disclosing a nonce.

One possibility lies in referer strings that would be left on the page as a footprint you visited via an external hyperlink.

That’s why “Referrer Suppressor” is needed. And as a result, this functionality keeps your admin URL (with some queries) secret while you are in the admin area.

How to suppress a referer?

When a click event is triggered on a hyperlink that has an anchor to the external URL, this plugin opens a new window to redirect to that URL with some extra meta tags.

Meta refresh” is an old school that is not a part of the HTTP standard, but every browser redirects to the specified URL.

<meta http-equiv="refresh" content="0; url=http://example.com/">

On a page including this tag, IE or Firefox does not send the referer to the redirected URL, but Chrome, Safari, or Opera does. So we need a new school, i.e. “Referrer-Policy Delivery”:

<meta name="referrer" content="no-referrer">

or

<a href="http://example.com" rel="noreferrer">

Then the final solution becomes as follows.

<meta name="referrer" content="never" />
<meta name="referrer" content="no-referrer" />
<meta http-equiv="refresh" content="0; url=http://example.com/" />

You can find this in authenticate.js.

Note

The keywords never, default, always are obsolete.

Samples

Please try the following links:

If you find a browser that takes referrer strings to the redirected page when you click Meta refresh + Meta referrer please let me know.

Browser Version Platform Result
Chrome 42.0 OS X 10.9.5 OK
Firefox 37.0 OS X 10.9.5 OK
Safari 7.1.5 OS X 10.9.5 OK
Opera 12.6 OS X 10.9.5 NG
Opera 29.0 OS X 10.9.5 OK
IE8 8.0 Windows 7 OK
IE11 11.0 Windows 7 OK
Android Native 4.0 Android 2.3.5 OK
Mobile Firefox 34.0 Android 2.3.5 OK
Mobile Chrome 42.0 iOS 8.3 OK
Mobile Safari 8.0 iOS 8.3 OK

Leave a Comment

Your email address will not be published. Required fields are marked *