-
-
Notifications
You must be signed in to change notification settings - Fork 691
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rel=noreferrer? #76
Comments
No, that would be a hook's job. By adding this as default behaviour we assume too much about how people use DOMPurify. Happy to accept a PR into the demo folder with a hook though :) |
hmm .. I think there is some value to secure defaults. Are there use cases where you actually do want the referrer on untrusted uncontent? |
Our threat model covers XSS and the prevention thereof, not possible privacy issues. We'd have to adjust that first and then move ahead with an implementation. As mentioned, this would be best in a hook or a separate project using DOMPurify to cover privacy as well. Happy to accept a PR with a hook or support a project addressing privacy as well. The ground work has been done already, should be straight forward. |
Happy to submit a PR, but not sure if we want this.
Basically, does it make sense to default to rel=noreferrer on anchors (and I think img also supports it). Obviously, doesn't work on all platforms, but is a reasonable default for untrusted content. Stops referrer leaks and hijacking etc.
The text was updated successfully, but these errors were encountered: