“Referrer Suppressor” which eliminate the browser’s referer is one of my favorite feature in IP Geo Block .
It came to this plugin as a logical consequence of WP-ZEP. In this article, I’ll tell you the story.
A nonce is a secret information which can be known only by the user who accesses a certain page at a certain moment. It’s one of basic and important factors to prevent CSRF or other vulnerability.
Instead of vulnerable plugins, WP-ZEP embed a nonce into hyperlinks, forms and ajax calls that have requests to somewhere in the admin area. To keep it secret, WP-ZEP must kill the possibility of disclosing a nonce.
One possibility lies in referer strings that would be left on the page as a footprint you visited via an external hyperlink.
That’s why “Referrer Suppressor” is needed. And as a result, this functionality keeps your admin url (with some queries) secret while you are in the admin area.
When a click event is triggered on a hyperlink which have an anchor to the external url, this plugin opens a new window to redirect to that url with some extra meta tags.
“Meta refresh” is an old school which is not a part of HTTP standard, but every browser redirects to the specified url.
On a page including this tag, IE or Firefox does not send the referer to the redirected url, but Chrome, Safari or Opera does. So we need a new school, i.e. “Referrer Policy Delivery”:
Then the final solution bocomes as follows.
You can find this in authenticate.js.
always are obsolete.
Please try the following links:
If you find a browser that takes referer strings to the redirected page when you click
|Chrome||42.0||OS X 10.9.5||OK|
|Firefox||37.0||OS X 10.9.5||OK|
|Safari||7.1.5||OS X 10.9.5||OK|
|Opera||12.6||OS X 10.9.5||NG|
|Opera||29.0||OS X 10.9.5||OK|
|Android Native||4.0||Android 2.3.5||OK|
|Mobile Firefox||34.0||Android 2.3.5||OK|
|Mobile Chrome||42.0||iOS 8.3||OK|
|Mobile Safari||8.0||iOS 8.3||OK|