Closed cben closed 9 months ago
Hmm, now I don't see a change between mathdown.net and preview when clicking "bugs" link. Both send only the domain name to github e.g. Referer: https://deploy-preview-219--elastic-liskov-92f696.netlify.app/
I do see the meta tag had an effect — shows "Referrer Policy: origin" in devtools instead of default "Referrer Policy: strict-origin-when-cross-origin"
help link is same-domain. Supposing in future mathdown makes URLs in the markdown clickable, or other form of doc->doc links, those will also be same-domain. Under default policy send full referer including ?doc= part — but to mathdown hosting i.e. Netlify which is already trusted. Still, unnecessary, I never want to leak ?doc=... part.
:question: do I want to set strict-origin
policy — difference is dropping origin header entirely when new URL has plain-text http:// scheme. The strict-
variants reduce leaking even the fact user used mathdown domain to passive eavesdroppers?
confirmed, now stops ?doc=...
from being sent even on same-origin ?doc=help
link.
[extracted from
view
branch, this looks like a safe win]Affects all requests made from the page. Notable external links:
"bugs" link to https://github.com/cben/mathdown/issues
Instead of sending e.g.: Referer: http://localhost:8000/mathdown/?doc=SECRET this will send Referer: http://localhost:8000/
Until now, users have been revealing secret ?doc=... not only to Heroku but also to Github, which is unnecessary. What's worse, GitHub has Insights -> Traffic tab, showing referer info! Luckily, it includes path but not ?query params. Phew!
[possible future —
view
branch] When making ajax request for viewed markdown fileInstead of sending e.g.:
Referer: http://localhost:8000/mathdown/?viewurl=https://raw.githubusercontent.com/commonmark/commonmark-spec/0.29/README.md
this will send
Referer: http://localhost:8000/
Tested on Firefox (back in 2020).
doc: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#integration_with_html