Open jonasfj opened 4 years ago
To mask referrer header, we should consider making external links go through a redirect. This also hardens a few other XSS vectors.
referrer
See: https://en.wikipedia.org/w/index.php?title=URL_redirection&oldid=917753021#Referrer_masking
Note: It is critical that such a service only allows redirecting URLs embedded on pub.dev, and cannot be used for arbitrary URL redirection. Hence, URLs would need signing or something else.
Note. it's not clear if we should do this. I just want to open the discussion.
See also: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md
I'm not sure this is still relevant. @jonasfj should we just close?
To mask
referrer
header, we should consider making external links go through a redirect. This also hardens a few other XSS vectors.See: https://en.wikipedia.org/w/index.php?title=URL_redirection&oldid=917753021#Referrer_masking
Note: It is critical that such a service only allows redirecting URLs embedded on pub.dev, and cannot be used for arbitrary URL redirection. Hence, URLs would need signing or something else.