Feature #80801

gravatar: Improve privacy by not sending a referrer

Added by Stefan Neufeind over 2 years ago. Updated 3 months ago.

Status:
Rejected
Priority:
Won't have this time
Category:
-
Target version:
-
Start date:
2017-04-11
Due date:
% Done:

0%


Description

Newer browsers allow extending the img-tag to not provide a referrer to the server specified as img-src. This prevents gravatar (wordpress.com) to track which URLs a visitor opened (which contained a gravatar-image).

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-referrer-attribute

gravatar-referrer.diff View (589 Bytes) Stefan Neufeind, 2017-04-11 01:27

History

#1 Updated by Stefan Neufeind over 2 years ago

Extend the gravatar-plugin. Then you'll be able to set the img-attribute "referrerpolicy" to "no-referrer" (tested with current Chrome and Firefox).

Additional information on the attribute also here: https://scotthelme.co.uk/a-new-security-header-referrer-policy/

#2 Updated by Michael Stucki over 2 years ago

  • Status changed from New to Needs Feedback

Hi Stefan, thanks for your patch. Can you please move the functionality into https://github.com/TYPO3-infrastructure/rm_typo3_forge and make a pull request for it? Thanks in advance!

#3 Updated by Stefan Neufeind over 2 years ago

Lacking a test-installation I couldn't test it. But I did test in plain HTML that this prevents the referrer from being sent. Adding an attribute to the plugin seems the cleanest way imho, but of course it might be better to try to push that upstream - and I'm not sure about your rules for patching such things. Maybe you'd want to approach it a different way to get the same result.

#4 Updated by Steffen Gebert over 2 years ago

Thanks Stefan. I am strongly against patching Redmine core.

I figured out in the Gravatar plugin code that we can set the referrer policy in config/environment.rb by adding this line:

GravatarHelper::DEFAULT_OPTIONS[:referrerpolicy] = 'no-referrer'

However, this file is still part of the upstream redmine source code. I wasn't able to figure out a way to put this into config/additional_environment.rb.

So if somebody finds a way to supply this option, I'm okay with it. Otherwise I'd suggest to reject this issue.

#5 Updated by Stefan Neufeind over 2 years ago

If we don't find a clean way, could you maybe take this feature-request upstream with your findings / suggestions on how to forward that parameter from a clean configuration down to where it's needed?

#6 Updated by Bastian Bringenberg 3 months ago

  • Status changed from Needs Feedback to Rejected
  • Assignee set to Bastian Bringenberg
  • Priority changed from Should have to Won't have this time

After checking this out it 3.4 we decided that spend work will be far too high as we are not able to change config/environment.rb and have no possibility to add this to our base plugin.
If this request is still valid please take a look at our provided git repository and find a way to add this to our deployment, but we did not find an 'easy' solution.

Also available in: Atom PDF