Skip to content

Change referrer policy to be controlled by header in web UI #33214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Gargron merged 1 commit into from
Dec 9, 2024
Merged

Change referrer policy to be controlled by header in web UI #33214

Gargron merged 1 commit into from
Dec 9, 2024

Conversation

@Gargron
Copy link
Member

@Gargron Gargron commented Dec 8, 2024
edited
Loading

A couple of changes here, ultimately with the goal of making it easier to control the referrer policy by setting ALLOW_REFERRER_ORIGIN to true in the environment.

The abundance of rel="noreferrer" in the code is due to the jsx-no-target-blank eslint rule, which however has been disabled for a while. The rule actually has a purpose in terms of security; however, the important bit is rel="noopener", while the noreferrer bit is only relevant for outdated Internet Explorer browsers.

On one hand, I am re-enabling the eslint rule to ensure external links don't allow JavaScript access to the previous page, on the other, I am removing noreferrer from all links. The browser behaviour can (and is) controlled by the Referrer-Policy header we already set, so this change just makes it controllable from one place instead of two dozen different ones.

Our default Referrer-Policy is same-origin, which means the referrer header will only be sent when navigating within your Mastodon server, however, with ALLOW_REFERRER_ORIGIN=true, Referrer-Policy: origin will be used, which will send the referrer header to external websites with only the domain of the referrer and no specific page.

ClearlyClaire
ClearlyClaire reviewed Dec 9, 2024
View reviewed changes
Copy link
Contributor

@ClearlyClaire ClearlyClaire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks fine overall, with maybe the caveat that the moderation interface should have its own referrer policy to not leak information about moderators.

@renchap
Copy link
Member

renchap commented Dec 9, 2024

I would prefer this to be a setting and not an environment variable, so it can be enabled more easily on managed hosting.

We should maybe (in a later PR?) add a way to configure it from the admin settings. We could explain that we do not recommend enabling it for servers with < X active users because it can leak some data (if you have 3 users, it can be very obvious who clicked on the link, so this is some data leak), and maybe even show a hint near the option to recommend enabling/disabling it depending on on the number of users on the instance?

@Gargron
Copy link
Member Author

Gargron commented Dec 9, 2024

I also think this should be an admin setting but it's easier to introduce as an environment variable first.

@ClearlyClaire
Copy link
Contributor

ClearlyClaire commented Dec 9, 2024

I also think this should be an admin setting but it's easier to introduce as an environment variable first.

What about keeping it unchanged in this PR, and adding it as an admin setting in a second PR? My concern is having having to maintain awkward code (like for AUTHORIZED_FETCH) while we could avoid that by going directly with an admin setting.

@ClearlyClaire
Copy link
Contributor

ClearlyClaire commented Dec 9, 2024

Also, I think this is lacking changes to lib/sanitize_ext/sanitize_config.rb, which is prehaps the most important place if you want to have referrers for links in posts.

@Gargron Gargron force-pushed the fix-noreferrer branch 2 times, most recently from 6fd7667 to 320f373 Compare December 9, 2024 10:07
@Gargron
Copy link
Member Author

Gargron commented Dec 9, 2024

Thanks, updated. I don't see a problem with future maintenance if the admin setting is added before a stable release. The reason I would like to add this as an environment variable is so we can immediately enable it on mastodon.social.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2024

This pull request has merge conflicts that must be resolved before it can be merged.

@Gargron Gargron force-pushed the fix-noreferrer branch 2 times, most recently from 79b7b2c to b877844 Compare December 9, 2024 11:48
@github-actions
Copy link
Contributor

github-actions bot commented Dec 9, 2024

This pull request has resolved merge conflicts and is ready for review.

oneiros
oneiros reviewed Dec 9, 2024
View reviewed changes
@mjankowski mjankowski added javascript Pull requests that update Javascript code ruby Pull requests that update Ruby code labels Dec 9, 2024
@Gargron Gargron added this pull request to the merge queue Dec 9, 2024
Merged via the queue into main with commit 425311e Dec 9, 2024
36 checks passed
@Gargron Gargron deleted the fix-noreferrer branch December 9, 2024 22:52
@renchap renchap mentioned this pull request Dec 10, 2024
Merged
renchap added a commit to renchap/mastodon that referenced this pull request Dec 10, 2024
@renchap
Use a system setting for the Referer policy
3019238 
Follow up on mastodon#33214

Having this as a setting will allow exposing it as an admin setting.

There is a slight drawback here as reading the setting for every request makes a Redis call, but I am not sure if we have a way to cache it in memory for the Rails process for a few seconds. Not sure if this additional Redis query will have any impact at all.
@rauschma
Copy link

rauschma commented Dec 14, 2024

Wouldn’t some people (e.g. journalists) want link targets to see the full URLs of their posts?

@quintessence
Copy link

quintessence commented Dec 15, 2024

Checking in to make sure I understand the configuration: as it is implemented right now, this is something server infra admins can enable or disable for the server, but not something that users can toggle themselves? e.g. if a server were to "enable the feature" would all users be opted in (or out) with the ability to change to the reverse via their own tools, or is it just globally on or off for the server?

@ClearlyClaire
Copy link
Contributor

ClearlyClaire commented Dec 16, 2024

Wouldn’t some people (e.g. journalists) want link targets to see the full URLs of their posts?

They might want that, but realistically, one would often not be on the specific post, but on a timeline, when clicking a link. And this may reveal more information than we are confident with.

Checking in to make sure I understand the configuration: as it is implemented right now, this is something server infra admins can enable or disable for the server, but not something that users can toggle themselves? e.g. if a server were to "enable the feature" would all users be opted in (or out) with the ability to change to the reverse via their own tools, or is it just globally on or off for the server?

This is a server setting end-users do not have control over.

@quintessence
Copy link

quintessence commented Dec 25, 2024

This is a server setting end-users do not have control over.

Thank you!

@digitalcircuit
Copy link

digitalcircuit commented Jan 15, 2025

Brief note for anyone finding this via Trunk and Tidbits - the browser ultimately decides what referrers get sent, so end users do have control in that sense.

If this is a concern for someone and their instance admins prefer having referrers on, I'd encourage looking into browser configuration and/or extensions (discussion on that is better held elsewhere) so you have control over this with any website, not just the Mastodon instance you're on.

@baknu
Copy link

baknu commented Feb 11, 2025
edited
Loading

Our default Referrer-Policy is same-origin, which means the referrer header will only be sent when navigating within your Mastodon server, however, with ALLOW_REFERRER_ORIGIN=true, Referrer-Policy: origin will be used, which will send the referrer header to external websites with only the domain of the referrer and no specific page.

@Gargron: Very nice that you made this configurable. However, instead of origin I would choose the policy value strict-origin (or maybe strict-origin-when-cross-origin which is the default value for most of the current browsers when a server does not send a Referrer Policy).

According to strict-origin and strict-origin-when-cross-origin basic referrer data (i.e. only the domain of the referrer and no specific page) may be sent to third parties via secure connections (HTTPS) only. The current configurable policy value origin allows the referrer data to be sent via insecure connections (HTTP).

For more details see: https://www.w3.org/TR/referrer-policy/#referrer-policies

@ClearlyClaire
Copy link
Contributor

ClearlyClaire commented Feb 12, 2025

strict-origin-when-cross-origin sounds like a good idea. It's something I hadn't noticed when reviewing the PR but we do have some assumptions that the referrer is a full URL when same-origin (in ApplicationController#store_referrer). This change has caused the get-back-to-where-you-were-before-log-in flow to break.

@ClearlyClaire ClearlyClaire mentioned this pull request Feb 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oneiros oneiros oneiros left review comments

@ClearlyClaire ClearlyClaire ClearlyClaire approved these changes

Assignees

No one assigned

Labels

javascript Pull requests that update Javascript code ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@Gargron @renchap @ClearlyClaire @rauschma @quintessence @digitalcircuit @baknu @oneiros @mjankowski