Limit referrer information sent to other sites

Description

When you follow a link from the Archive to another site or go to a page with the Twitter widget (e.g. a work), a header like the following is sent to that site:

The header contains the URL of the page you're coming from (or, in the case of Twitter, the page the widget is being loaded on – in other words, Twitter can tell what work you're accessing, and if you're logged in, that information is likely associated with your Twitter account).

To prevent this, we'd like to update config/application.rb to set the Referrer-Policy to same-origin, as described in Setting HTTP security headers in Rails.

To test, open your browser’s developer tools and check the response headers after navigating from one Archive page to another. The Referrer-Policy should say same-origin. (You may need to consult Google for instructions specific to your browser.)

When testing, we should also make sure the Twitter share widget on works is still functional, and we should also check that New Relic still contains referrer information.

Activity

Show:
Elz J
October 6, 2019, 12:33 PM

Just to note, this may not be effective in all browsers yet, specifically Edge/IE and mobile Safari: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy But hopefully that will improve over time.

Sarken
October 10, 2019, 8:57 AM

Twitter share on my work still works.

Caused a 500 error and checked New Relic. It correctly showed https://test.archiveofourown.org/collections/GEWithLargeTagSet/signups/new as the HTTP referrer.

Used the Resources tab in Safari 12.1.2’s developer tools to check the response headers after navigating from one Archive page to another. It said same-origin for Referrer-Policy.

Looks good!

redsummernight
October 12, 2019, 5:02 AM
Edited
  • The Twitter share button on each work still works.

  • New Relic for the test site still tracks referer for errors.


Using Chrome 77.0.3865.90, loaded a work on beta, checked the Twitter widget request:

From the work, followed a tag link. Same referer header.


Loaded a work on test:

From the work, followed a tag link.

Referer is kept if I stayed on the site, scrubbed if I left. Looks good.

DeployedToBeta

Assignee

Elz J

Reporter

Sarken

Roadmap

Misc

Priority

Medium

Affects versions

Fix versions

Components

BackEnd
FrontEnd

Difficulty

Easy

Milestone

Internal 0.9
Configure