Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Referrer policy updates #940

Merged
merged 5 commits into from
Oct 17, 2018
Merged

Referrer policy updates #940

merged 5 commits into from
Oct 17, 2018

Conversation

Gnito
Copy link
Contributor

@Gnito Gnito commented Oct 16, 2018

This update is to ensure that page with URLs that contain tokens from API, doesn't leak that information to external links. (Including links in <head> section, CSS files etc.)

NOTE: remember to use <ExternalLink> component always when dealing with external links.
ExternalLink

kpuputti
kpuputti approved these changes Oct 16, 2018
View reviewed changes
Copy link
Contributor

@kpuputti kpuputti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but be sure to verify in devtools that it works.

bladealslayer
bladealslayer approved these changes Oct 17, 2018
View reviewed changes
Copy link
Member

@bladealslayer bladealslayer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Did you check if the location this happens to appear on the rendered page matters, in relation to other loaded resources (fonts, styles, scripts)?

@Gnito
Copy link
Contributor Author

Gnito commented Oct 17, 2018

@bladealslayer @kpuputti

FTW renders Helmet meta tags before we load anything external on public/index.html:

<html data-htmlattr="htmlAttributes">
  <head>
    <meta charset="utf-8">
    <!--!title-->
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <!--!meta-->

I updated this PR so that referrer is actually handled in Page.js, where it can be set as the first meta tag (in Helmet handled meta tags)

Furthermore, I had to modify also canonical URL creation so that it doesn't contain query & fragment sections when referrer is enforced. (Including params is necessary for SearchPage and other situations where URL params affect to the content of the page.)

This setup returns origin for the first external URL on http://localhost:4000/reset-password?asdf=asdf
screen shot 2018-10-17 at 12 49 35

@Gnito Gnito merged commit 1aef211 into master Oct 17, 2018
@Gnito Gnito deleted the referrer-policy-updates branch October 17, 2018 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kpuputti kpuputti kpuputti approved these changes

@bladealslayer bladealslayer bladealslayer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Gnito @kpuputti @bladealslayer