PITS /

01520: prevent hyperlink referrer tracking

Summary: prevent hyperlink referrer tracking

Created: 2025-03-28 19:21

Status: Open

Category: Feature

From: gnuzoo

Assigned:

Priority: 53

Version: all

OS: all

Description: pmwiki should set rel="noreferrer" on all hyperlinks to stop tracking gnuzoo March 28, 2025, at 07:22 PM

I tend to agree, even though people could easily configure this by redefining $UrlLinkFmt. Let me think about it.

REF The noreferrer keyword for the rel attribute of the <a> element instructs the browser, when navigating to the target resource, to omit the Referer header and otherwise leak no referrer information. --Petko March 28, 2025, at 07:35 PM

What rel="noreferrer" Does

The rel="noreferrer" attribute prevents the browser from sending the referring page's URL to the linked website. It also disables the window.opener property for security.

Benefits of changing the default:

Privacy: Users' browsing history is not shared with external sites.
Security: Prevents external sites from manipulating the original page using window.opener.

Drawbacks of changing the default:

Loss of referral data: External sites cannot see where visitors came from.
May affect analytics, affiliate programs, or tracking traffic sources: Some tracking systems rely on referral data.

This can be easily added or removed by a wiki administrator by redefining $UrlLinkFmt, but currently, it is not enabled. The feature request asks for it to be enabled by default.

A balanced approach is making it configurable (which it already is) but leaving it disabled by default, so administrators can enable it if they prioritize privacy.

That said, if the community leans toward privacy-first principles, enabling it by default makes sense.

What do you think? Should this change be made? --Petko March 28, 2025, at 08:08 PM

Firefox allows users to adjust this via

    about:config
    network.http.sendRefererHeader

Normal setting is 2.

Setting it to 0 blocks referrers.

PmWiki can set a var like this so it would not matter what browser is being used. Best to adjust it at the server side rather than individual browsers IMHO. --gnuzoo March 28, 2025, at 08:25 PM

I agree with privacy-first principles, more and more today. --Luigi

I favour the balanced approach of making it configurable but leaving it disabled by default. I make extensive use of referrer links on several loosely connected sites. In particular, there is a single webmaster report form that does an (admittedly weak) check to be sure it was called from a relevant page. Neil Herber

I would prefer by default not to allow tracking and let those who do make adjustments to turn it on. --gnuzoo March 28, 2025, at 09:06 PM

I agree with Neil here. Configurable = yes, default = no. --kellerfrau