Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Current URL is disclosed to DuckDuckGo #343

Closed
dessant opened this issue Oct 6, 2020 · 4 comments
Closed

Current URL is disclosed to DuckDuckGo #343

dessant opened this issue Oct 6, 2020 · 4 comments
Labels
bug Something isn't working

Comments

@dessant
Copy link

dessant commented Oct 6, 2020

When visiting https://plausible.io/plausible.io/sources, favicons are fetched from https://icons.duckduckgo.com, and the current page URL is sent to their servers in the Referer header, which could be undesirable when Plausible is self-hosted.

The issue can be solved by setting the referrerpolicy attribute for image elements that point to other origins.

<img referrerpolicy="no-referrer" src="https://icons.duckduckgo.com/ip3/news.ycombinator.com.ico">
@dessant dessant added the bug Something isn't working label Oct 6, 2020
@JimDabell
Copy link

Which browser are you using? I was under the impression most browsers send the origin when HTTPS is in use these days, not the current URL. I just checked the URL you mentioned in Chrome and didn’t reproduce the behaviour you describe; Chrome sent the origin, not the current URL.

@dessant
Copy link
Author

dessant commented Oct 6, 2020

@JimDabell, the Referer header is sent for the favicon requests in all major browsers. You have probably inspected the wrong request, requests initiated by the <img> element do not send the Origin header, unless you enable CORS with the crossorigin attribute.

@dessant
Copy link
Author

dessant commented Oct 6, 2020

I see you were referring to this change in Chrome, not the Origin header. Chrome 85 and newer only sends the host part of the URL, though that still discloses the host at which the self-hosted instance can be accessed, the Referer header can be dropped entirely to avoid disclosing any data to DuckDuckGo.

@ukutaht
Copy link
Contributor

ukutaht commented Oct 7, 2020

Thanks for reporting. I agree we should add the referrerpolicy="no-referrer", no reason to share that data.

ukutaht added a commit that referenced this issue Oct 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants