=== Noreferrer === Contributors: andersju Tags: noreferrer, referrer, referer, rel, privacy, links Requires at least: 3.0 Tested up to: 4.3.1 Stable tag: 2.0.1 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html A simple privacy-enhancing plugin to stop browsers from sending referrer information. == Description == [Plugin homepage](https://anders.unix.se/wordpress-plugin-noreferrer/) When you click on a link, your browser normally tells the destination page what page you were on when you clicked the link. This is called the [HTTP referer](https://en.wikipedia.org/wiki/HTTP_referer) [sic!]. This also happens when your browser loads things like images, fonts and external CSS/JS. This is bad for privacy. For sensitive sites, it can be *terrible* for privacy. However, with HTML5, there are now ways to stop referrers from being sent. = rel="noreferrer" link type and referrer attribute = This plugin, by default, adds `rel="noreferrer"` to external links in posts, pages and comments, and `referrer="no-referrer"` to images and iframes. As defined in the [HTML5 spec](http://www.w3.org/TR/html5/links.html#link-type-noreferrer), `rel="noreferrer"` "indicates that no referrer information is to be leaked when following the link". As defined in the [Referrer Policy Draft](https://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-state-no-referrer), `referrer="no-referrer"` "specifies that no referrer information is to be sent along with requests made from a particular settings object to any origin". The plugin modifies elements right before they are displayed. It doesn't modify anything in the database. Existing attributes, including any existing `rel` attributes (such as the one set by `wp_rel_nofollow()`), are preserved. It is possible to whitelist domains if you *do* want to send referrer information to them. The `rel="noreferrer"` link type is supported by Firefox (since [version 33](https://developer.mozilla.org/en-US/Firefox/Releases/33#HTML)), Chrome/Safari (added to WebKit in [November 2009](https://www.webkit.org/blog/907/webkit-nightlies-support-html5-noreferrer-link-relation/)) and Microsoft Edge in Windows 10. The `referrer` attribute is not yet supported by the stable version of any browser (July 2015). = Referrer Policy meta tag = This plugin, by default, also sets [Referrer Policy](https://w3c.github.io/webappsec/specs/referrer-policy/) to `never` via a `meta` tag. This is even better for privacy: it tells the browser not to send referrer information *at all* and applies to both links as well as requests generated by the page (CSS, images, etc.). While still just a W3C draft, it is supported by Firefox (since [version 37](https://bugzilla.mozilla.org/show_bug.cgi?id=965727)), Chrome and Safari (added to WebKit in [November 2011](https://bugs.webkit.org/show_bug.cgi?id=72674)), and by Microsoft Edge in Windows 10 ([source](https://msdn.microsoft.com/en-us/library/dn904194%28v=vs.85%29.aspx)). **Please note** that this *could* affect plugins that foolishly rely on the refer(r)er header, as well as third-party tools you might use. If you enable this, whitelisting internal links and other elements is possible thanks to the [referrer attribute](https://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-delivery-referrer-attribute); however, support for this has not yet made it into the stable version of any browser. = Notes = Inspired by the Drupal module [No referrer](https://www.drupal.org/project/noreferrer). The code is available on [GitHub](https://github.com/andersju/noreferrer). == Installation == 1. Download the latest zip file and extract the `noreferrer` directory. 2. Upload it to your `/wp-content/plugins/` directory. 3. Activate Noreferrer through the Plugins menu in WordPress. That's all. For maximum compatibility, both `rel="noreferrer"`, `referrer="no-referrer"` and meta referrer are enabled by default. You can disable any one of them under Settings -> Noreferrer. Particularly meta referrer *might* cause problems if other scripts/plugins depend on the referer [sic] header. You can also whitelist domains that you *do* want to send referrer information to. == Frequently Asked Questions == = Why should I use this? = Because you might care about the privacy of your users. == Changelog == = 2.0.1 = * Minor bug fix. = 2.0.0 = * Added meta referrer support. This is enabled by default, hence the major version change. Also added support for whitelisting and support for elements of type area, img and iframe. = 1.0.0 = * Initial release. == Upgrade Notice == = 2.0.0 = Adds meta referrer support and enables it by default. Also adds referrer attribute support and enables it by default.