Sourcebuster.js (opens in new tab)

(sbjs.rocks)

89 pointsddispaltro7y ago35 comments

35 comments

29 comments · 11 top-level

z3t47y ago· 6 in thread

Hmm. I thought browsers stopped giving out referrer years ago ... !?

No, however, the idea is that if the link is target _blank then you are supposed to add a rel attribute, commonly given as rel="noopener noreferrer" in most articles you read. Common content management systems such as Wordpress and Drupal do this for you.

Nobody has yet died due to some programmer carelessly not having 'noreferrer' set in the 'rel' attribute of a link that opens in another tab but, if you want to get 100% on Google's Lighthouse audit tool, then it really does matter.

The Google article is worth the read as it makes it clear that the oft-cited rel="noopener noreferrer" is wrong. The thing is that 'noreferrer' is a superset of 'noopener' so you only actually need rel="noreferrer" without the 'noopener' bit.

The 'opener' said no to is 'window.opener' in Javascript. This probably was brilliant in the days of frames and has lurked in the specs ever since.

https://developers.google.com/web/tools/lighthouse/audits/no...

lixtra7y ago

In particular: “A user agent must not send a referrer header field in an unsecured HTTP request if the referring page was received with a secure protocol”

https://tools.ietf.org/html/rfc7231#section-5.5.2

mbell7y ago

There are options to control the referrer in various places, but it is still included by default. The only situation I can think of where its blocked by default is when navigating from https to http.

lixtra7y ago

Which seems to happen here: https://news.ycombinator.com/item?id=19295836 -> http://sbjs.rocks/#/

judge20207y ago

I've seen social networks use noreferrer on their links, but they're still a browser feature nonetheless. Referrers are also always sent for image tags and remote resources.

baroffoos7y ago

I think that was just cutting off the path from the referrer data.

_threads7y ago· 3 in thread

I just love it when I enter a store and someone who followed me go tell the seller all the shops I visited, what I shopped, for how long, what I searched and what I read

We have to stop this non-sense, and stop calling this « innovation »

spiderfarmer7y ago

This absolutely doesn’t do that though.

oliwarner7y ago

No, this absolutely does form part of the marketing loop.

Profiling visitors based on their referrer to —quoting TFA— "show relevant content" is exactly this sort of creepy nonsense that leads to you (store owner) knowing where I do my research and being able to infer more about me than I've explicitly told you.

1 more reply

eurticket7y ago

Surely someone will, has and is. As over arcing as the first comment seems, I'd tend to agree.

EmilStenstrom7y ago· 3 in thread

To be clear, this "buster" isn't breaking any browser boundaries. It just uses whatever referer header the page gets from the browser.

mbell7y ago

Looks like it also parses UTM params but yea, it's not doing anything special or nefarious.

spiderfarmer7y ago

The ‘busting’ part is just making sure that the original source is available during future visits.

PinkMilkshake7y ago

I thought it was a reference to the film The Big Hit.

ykevinator7y ago· 3 in thread

I clicked the link through feedly but it said my source was direct

bleys_7y ago

Because you went from a https site to a non secure one (http://sbjs.rocks) so the referer header was hidden.

See: https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding

tw10107y ago

I did the same but it worked for me (said hn), why didn't it work for the parent but it did for me?

1 more reply

stordoff7y ago

Not in the latest Chrome (Windows). Right-click, open in new window:

> Your source is news.ycombinator.com

Though it is noted in the usage:

> When a visitor come from https web-site to http, a request doesn’t have a referer.

chimen7y ago· 2 in thread

I don't get the point of this in a client script. What does it do that can't be done server side with the http headers? Maybe it can be useful inside SPAs but this sort of info should be immutable and read only which is next to impossible on front facing apps.

buremba7y ago

You can still emulate the Referer header in order to trick the server side. It's easier to do this on the client side in order to avoid complexity on server-side because the servers need to be aware of all the browsers used by the client.

chimen7y ago

Makes no sense. What complexity are you talking about? You get that info on the client to create another request to the server in order to send it over?

1 more reply

jonahx7y ago· 1 in thread

Anyone know why chrome does not have an option to turn off the Referer header globally?

robinduckett7y ago

Because many websites will get upset if you don't have your referrer available to track you /shrug

um_ya7y ago

Piggy backing off of this post. I'd like to take the opportunity to remind people of the security hazards of referrer addresses and keeping sensitive information out of your query parameters. If you have third party images or third party links on your site, sensitive user information is leaked through the referrer address if the data is in your GET parameters. If you have an OAuth scheme, double check to make sure you don't have external links or third party images in your login/redirect/authentication process. Sensitive information should ALWAYS be sent via POST request and your referer policy should be set appropriately. Read more here: https://developer.mozilla.org/en-US/docs/Web/Security/Refere...

rocky11387y ago

I've been looking at the Chameleon extension recently. Anyone have any experience with it? Apparently it spoofs a ton of stuff to make tracking harder.

oliwarner7y ago

This seems pretty fragile. I visited first from Feedly and then from HN and both times it counted my visit as "direct" (ie no referrer).

Or is this just Firefox kicking ass?

wink7y ago

Your source is: direct visit.

No, I clicked a link from 2 different domains (my rss reader and here) - so that means my browser privacy addons work? :)

baroffoos7y ago

For a while I had referrers turned off in firefox almost everything still works but it did set off a few anti bot scripts on larger websites.

j / k navigate · click thread line to collapse

35 comments

29 comments · 11 top-level

z3t47y ago· 6 in thread

Hmm. I thought browsers stopped giving out referrer years ago ... !?

Theodores7y ago

The 'opener' said no to is 'window.opener' in Javascript. This probably was brilliant in the days of frames and has lurked in the specs ever since.

https://developers.google.com/web/tools/lighthouse/audits/no...

lixtra7y ago

In particular: “A user agent must not send a referrer header field in an unsecured HTTP request if the referring page was received with a secure protocol”

https://tools.ietf.org/html/rfc7231#section-5.5.2

mbell7y ago

There are options to control the referrer in various places, but it is still included by default. The only situation I can think of where its blocked by default is when navigating from https to http.

lixtra7y ago

Which seems to happen here: https://news.ycombinator.com/item?id=19295836 -> http://sbjs.rocks/#/

judge20207y ago

I've seen social networks use noreferrer on their links, but they're still a browser feature nonetheless. Referrers are also always sent for image tags and remote resources.

baroffoos7y ago

I think that was just cutting off the path from the referrer data.

_threads7y ago· 3 in thread

I just love it when I enter a store and someone who followed me go tell the seller all the shops I visited, what I shopped, for how long, what I searched and what I read

We have to stop this non-sense, and stop calling this « innovation »

spiderfarmer7y ago

This absolutely doesn’t do that though.

oliwarner7y ago

No, this absolutely does form part of the marketing loop.

1 more reply

eurticket7y ago

Surely someone will, has and is. As over arcing as the first comment seems, I'd tend to agree.

EmilStenstrom7y ago· 3 in thread

To be clear, this "buster" isn't breaking any browser boundaries. It just uses whatever referer header the page gets from the browser.

mbell7y ago

Looks like it also parses UTM params but yea, it's not doing anything special or nefarious.

spiderfarmer7y ago

The ‘busting’ part is just making sure that the original source is available during future visits.

PinkMilkshake7y ago

I thought it was a reference to the film The Big Hit.

ykevinator7y ago· 3 in thread

I clicked the link through feedly but it said my source was direct

bleys_7y ago

Because you went from a https site to a non secure one (http://sbjs.rocks) so the referer header was hidden.

See: https://en.wikipedia.org/wiki/HTTP_referer#Referer_hiding

tw10107y ago

I did the same but it worked for me (said hn), why didn't it work for the parent but it did for me?

1 more reply

stordoff7y ago

Not in the latest Chrome (Windows). Right-click, open in new window:

> Your source is news.ycombinator.com

Though it is noted in the usage:

> When a visitor come from https web-site to http, a request doesn’t have a referer.

chimen7y ago· 2 in thread

buremba7y ago

chimen7y ago

Makes no sense. What complexity are you talking about? You get that info on the client to create another request to the server in order to send it over?

1 more reply

jonahx7y ago· 1 in thread

Anyone know why chrome does not have an option to turn off the Referer header globally?

robinduckett7y ago

Because many websites will get upset if you don't have your referrer available to track you /shrug

um_ya7y ago

rocky11387y ago

I've been looking at the Chameleon extension recently. Anyone have any experience with it? Apparently it spoofs a ton of stuff to make tracking harder.

oliwarner7y ago

This seems pretty fragile. I visited first from Feedly and then from HN and both times it counted my visit as "direct" (ie no referrer).

Or is this just Firefox kicking ass?

wink7y ago

Your source is: direct visit.

No, I clicked a link from 2 different domains (my rss reader and here) - so that means my browser privacy addons work? :)

baroffoos7y ago

For a while I had referrers turned off in firefox almost everything still works but it did set off a few anti bot scripts on larger websites.

j / k navigate · click thread line to collapse