WordPress plugin: Noreferrer

Noreferrer (plugin on wordpress.org, code on GitHub) is a simple privacy-enhancing WordPress plugin to stop browsers from leaking referrer information.

Element-level

The plugin adds rel="noreferrer" to external links in posts, pages and comments.

Quoting 4.8.4.8 of the HTML5 spec,

It indicates that no referrer information is to be leaked when following the link.
If a user agent follows a link defined by an a or area element that has the noreferrer keyword, the user agent must not include a Referer (sic) HTTP header (or equivalent for other protocols) in the request.

rel="noreferrer" is supported by Firefox (since version 33) and Chrome/Safari (added to WebKit in November 2009). It is, to my knowledge, not supported by any version of Internet Explorer. It is supported by Microsoft Edge in Windows 10.

The plugin also adds referrer="no-referrer" to <img> and <iframe> tags. As defined in the Referrer Policy draft:

The simplest policy is No Referrer, which specifies that no referrer information is to be sent along with requests made from a particular settings object to any origin. The header will be omitted entirely.

The referrer attribute is as of this writing not yet supported by the stable version of any browser, but it’s coming. Relevant links:

• Chromium: Feature implementation: Referrer Policy - HTML referrer attribute (see also page on chromestatus.com)
• Firefox: Implement <a> and referrer attribute
• Firefox: Implement <img> referrer attribute
• Firefox: Implement <iframe> referrer attribute

Referrer Policy in in meta tag

This plugin, by default, also sets Referrer Policy to never via a meta tag. (no-referrer is actually the preferred keyword, but it is currently not supported by Microsoft Edge.)

This is the best option for privacy, as it tells the browser not to send any referrer information at all anywhere. It applies to all links as well as all requests generated by the document, e.g., images, CSS, JavaScript, etc.

While still just a W3C draft, it is supported by Firefox (since version 37), Chrome and Safari (added to WebKit in November 2011), and by Microsoft Edge (source), the new browser in Windows 10.

Whitelisting

Internal links are whitelisted by default. You can also specify additional domains to whitelist.

If meta referrer is enabled, whitelisting will add referrer="unsafe-url" (unlesss going from HTTPS to HTTP), although this attribute is not yet supported anywhere (see above).

Installation

1. Download the latest zip file and extract the noreferrer directory.
2. Upload it to your /wp-content/plugins/ directory.
3. Activate Noreferrer through the Plugins menu in WordPress.

Just activate and you’re good to go. If you don’t like the default settings, go to Settings -> Noreferrer.

How it works

It hooks into the_content and comment_text, modifying the output before display. It doesn’t touch the database. Existing attributes, including existing rel attributes (such as the one set by wp_rel_nofollow), are preserved.

Notes

Inspired by the Drupal module No referrer.