Referrer Suppressor for external link

“Referrer Suppressor” which eliminate the browser’s referer is one of my favorite feature in IP Geo Block emoji .

It came to this plugin as a logical consequence of WP-ZEP. In this article, I’ll tell you the story.

A possibility of nonce disclosure

A nonce is a secret information which can be known only by the user who accesses a certain page at a certain moment. It’s one of basic and important factors to prevent CSRF or other vulnerability.

Instead of vulnerable plugins, WP-ZEP embed a nonce into hyperlinks, forms and ajax calls that have requests to somewhere in the admin area. To keep it secret, WP-ZEP must kill the possibility of disclosing a nonce.

One possibility lies in referer strings that would be left on the page as a footprint you visited via an external hyperlink.

That’s why “Referrer Suppressor” is needed. And as a result, this functionality keeps your admin url (with some queries) secret while you are in the admin area.

How to suppress a referer?

When a click event is triggered on a hyperlink which have an anchor to the external url, this plugin opens a new window to redirect to that url with some extra meta tags.

Meta refresh” is an old school which is not a part of HTTP standard, but every browser redirects to the specified url.

<meta http-equiv="refresh" content="0; url=">

On a page including this tag, IE or Firefox does not send the referer to the redirected url, but Chrome, Safari or Opera does. So we need a new school, i.e. “Referrer Policy Delivery”:

<meta name="referrer" content="no-referrer">


<a href="" rel="noreferrer">

Then the final solution bocomes as follows.

<meta name="referrer" content="never" />
<meta name="referrer" content="no-referrer" />
<meta http-equiv="refresh" content="0; url=" />

You can find this in authenticate.js.


The keywords never, default, always are obsolete.


Please try the following links:

If you find a browser that takes referer strings to the redirected page when you click Meta refresh + Meta referrer please let me know. Thanks emoji

Browser Version Platform Result
Chrome 42.0 OS X 10.9.5 OK
Firefox 37.0 OS X 10.9.5 OK
Safari 7.1.5 OS X 10.9.5 OK
Opera 12.6 OS X 10.9.5 NG
Opera 29.0 OS X 10.9.5 OK
IE8 8.0 Windows 7 OK
IE11 11.0 Windows 7 OK
Android Native 4.0 Android 2.3.5 OK
Mobile Firefox 34.0 Android 2.3.5 OK
Mobile Chrome 42.0 iOS 8.3 OK
Mobile Safari 8.0 iOS 8.3 OK