Option to remove the referrer for external links

Many of us use Discourse for private/sensitive communication and there has been some great effort and attention devoted to privacy such that as little info leaks out of the forum as possible (removal of text from emails, raw urls, etc).

Could we also add an option in settings to add rel=noreferrer to links pointing outside of the forum base url?

I would actually enable that by default, or have a global private/public switch that enables/disables all privacy options of Discourse. This could be part of the setup wizard.

All browsers support it (if you discount zombies): Link types: noreferrer - HTML: HyperText Markup Language | MDN

Edit: For those interested, in the meantime you can use a custom theme component that adds <meta name="referrer" content="same-origin"> to the html <head>.

1 Like

It would be easier to add a site setting that changes the Referrer-Policy header from the default of strict-origin-when-cross-origin to other valid values.

1 Like

I think that has been deprecated in browsers, or that not all browsers will respect in in the future (same with the <meta name=referrer> html tag. I looked into that recently and recall that the safest and most cross-compatible option was rel=noreferrer, but happy to stand corrected.

1 Like

That is incorrect. That header is supported by all the browsers that Discourse support.

3 Likes

Hmm, indeed that seems safe … can’t recall where I read it and took it at face value. I’m already using a custom component to add <meta name="referrer" content="same-origin"> but was weary about the future. A Discourse option would be nicer though.

1 Like