01520: prevent hyperlink referrer tracking
Description:
pmwiki should set rel="noreferrer" on all hyperlinks to stop tracking
gnuzoo
I tend to agree, even though people could easily configure this by redefining $UrlLinkFmt. Let me think about it.
REF The noreferrer keyword for the rel attribute of the <a> element instructs the browser, when navigating to the target resource, to omit the Referer header and otherwise leak no referrer information. --Petko
What rel="noreferrer" Does
The rel="noreferrer" attribute prevents the browser from sending the referring page's URL to the linked website. It also disables the window.opener property for security. (See also noopener).
Benefits of changing the default:
- Privacy: Users' browsing history is not shared with external sites.
- Security: Prevents external sites from manipulating the original page using window.opener.
Drawbacks of changing the default:
- Loss of referral data: External sites cannot see where visitors came from.
- May affect analytics, affiliate programs, or tracking traffic sources: Some tracking systems rely on referral data.
This can be easily added or removed by a wiki administrator by redefining $UrlLinkFmt, but currently, it is not enabled. The feature request asks for it to be enabled by default.
A balanced approach is making it configurable (which it already is) but leaving it disabled by default, so administrators can enable it if they prioritize privacy.
That said, if the community leans toward privacy-first principles, enabling it by default makes sense.
What do you think? Should this change be made? --Petko
Firefox allows users to adjust this via
about:config
network.http.sendRefererHeader
Normal setting is 2.
Setting it to 0 blocks referrers.
PmWiki can set a var like this so it would not matter what browser is being used. Best to adjust it at the server side rather than individual browsers IMHO. --gnuzoo
I agree with privacy-first principles, more and more today. --Luigi
I favour the balanced approach of making it configurable but leaving it disabled by default. I make extensive use of referrer links on several loosely connected sites. In particular, there is a single webmaster report form that does an (admittedly weak) check to be sure it was called from a relevant page. Neil Herber
I would prefer by default not to allow tracking and let those who do make adjustments to turn it on. --gnuzoo
I agree with Neil here. Configurable = yes, default = no. --kellerfrau
I'd like it to be configurable (by a $variable in config.php) and the default to be set to blocking referrers simon
Thank you all for your input. I have added a $FmtV variable $FmtV['$LinkRel'] = 'nofollow'; with '$LinkRel' used in the default $UrlLinkFmt. The default doesn't change for the reasons/drawbacks above; if you have a custom $UrlLinkFmt it doesn't change (you can already set a custom rel attribute or remove it); if you have the default, it is now simpler to configure it in config.php to $FmtV['$LinkRel'] = 'noreferrer nofollow'; for example. On my own wikis I plan to enable 'noreferrer nofollow'. --Petko