rel=noreferrer? #76
Comments
|
No, that would be a hook's job. By adding this as default behaviour we assume too much about how people use DOMPurify. Happy to accept a PR into the demo folder with a hook though :) |
|
hmm .. I think there is some value to secure defaults. Are there use cases where you actually do want the referrer on untrusted uncontent? |
|
Our threat model covers XSS and the prevention thereof, not possible privacy issues. We'd have to adjust that first and then move ahead with an implementation. As mentioned, this would be best in a hook or a separate project using DOMPurify to cover privacy as well. Happy to accept a PR with a hook or support a project addressing privacy as well. The ground work has been done already, should be straight forward. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Happy to submit a PR, but not sure if we want this.
Basically, does it make sense to default to rel=noreferrer on anchors (and I think img also supports it). Obviously, doesn't work on all platforms, but is a reasonable default for untrusted content. Stops referrer leaks and hijacking etc.
The text was updated successfully, but these errors were encountered: