gravatar: Improve privacy by not sending a referrer
Newer browsers allow extending the img-tag to not provide a referrer to the server specified as img-src. This prevents gravatar (wordpress.com) to track which URLs a visitor opened (which contained a gravatar-image).
#1 Updated by Stefan Neufeind over 2 years ago
Extend the gravatar-plugin. Then you'll be able to set the img-attribute "referrerpolicy" to "no-referrer" (tested with current Chrome and Firefox).
Additional information on the attribute also here: https://scotthelme.co.uk/a-new-security-header-referrer-policy/
#2 Updated by Michael Stucki over 2 years ago
- Status changed from New to Needs Feedback
Hi Stefan, thanks for your patch. Can you please move the functionality into https://github.com/TYPO3-infrastructure/rm_typo3_forge and make a pull request for it? Thanks in advance!
#3 Updated by Stefan Neufeind over 2 years ago
Lacking a test-installation I couldn't test it. But I did test in plain HTML that this prevents the referrer from being sent. Adding an attribute to the plugin seems the cleanest way imho, but of course it might be better to try to push that upstream - and I'm not sure about your rules for patching such things. Maybe you'd want to approach it a different way to get the same result.
#4 Updated by Steffen Gebert over 2 years ago
Thanks Stefan. I am strongly against patching Redmine core.
I figured out in the Gravatar plugin code that we can set the referrer policy in
config/environment.rb by adding this line:
GravatarHelper::DEFAULT_OPTIONS[:referrerpolicy] = 'no-referrer'
However, this file is still part of the upstream redmine source code. I wasn't able to figure out a way to put this into
So if somebody finds a way to supply this option, I'm okay with it. Otherwise I'd suggest to reject this issue.
#6 Updated by Bastian Bringenberg 3 months ago
- Status changed from Needs Feedback to Rejected
- Assignee set to Bastian Bringenberg
- Priority changed from Should have to Won't have this time
After checking this out it 3.4 we decided that spend work will be far too high as we are not able to change config/environment.rb and have no possibility to add this to our base plugin.
If this request is still valid please take a look at our provided git repository and find a way to add this to our deployment, but we did not find an 'easy' solution.