Javascript 停止将链接发送到目的地
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5033300/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Stop link from sending referrer to destination
提问by nolanpro
I have a page where I don't want the outbound links to send a referrer so the destination site doesn't know where they came from.
我有一个页面,我不希望出站链接发送引荐来源网址,因此目标网站不知道它们来自哪里。
I'm guessing this isn't possible but I just want to make sure there weren't any hidden javascript magic that could do it and that would work with some (if not most) browsers.
我猜这是不可能的,但我只是想确保没有任何隐藏的 javascript 魔法可以做到这一点,并且可以与某些(如果不是大多数)浏览器一起使用。
Maybe some clever HTTP status code redirecting kung-fu?
也许是一些巧妙的 HTTP 状态代码重定向功夫?
Something like this would be perfect
像这样的东西将是完美的
<a href="example.com" send_referrer="false">link</a>
回答by Drewmate
I was looking for just the same thing, and it seems like this will be a feature of HTML5.
我一直在寻找同样的东西,看起来这将是 HTML5 的一个特性。
The tag you are looking for is rel="noreferrer".
您要查找的标签是rel="noreferrer"。
It is already implemented in Webkit (Chrome, etc.), as well as Firefox, but your mileage may vary.
它已经在Webkit的(铬等)来实现,以及Firefox的,但您的里程可能会有所不同。
回答by ssokolow
For anyone who's visiting in 2015 and beyond, there's now a proper solution gaining support.
对于 2015 年及以后访问的任何人,现在有一个适当的解决方案获得支持。
The HTTP Referrer Policyspec lets you control referrer-sending for links andsubresources (images, scripts, stylesheets, etc.) and, at the moment, it's supportedon Firefox, Chrome, Opera, and Desktop Safari 11.1.
该HTTP引荐政策规范允许您控制引荐,发送的链接和子资源(图片,脚本,样式表等),此刻,它支持在火狐,Chrome,Opera和Safari浏览器的桌面11.1。
Edge, IE11, iOS Safari, and desktop versions of Safari prior to 11.1 support an older version of the spec with never, always, origin, and defaultas the options.
封边,Safari浏览器IE11,iOS的Safari浏览器,和桌面版之前的11.1支持旧版本与规范的never,always,origin,和default作为选项。
According to the spec, these can be supported by specifying multiple policy values. Unrecognized ones will be ignored and the last recognized one will win.
根据规范,可以通过指定多个策略值来支持这些。未被识别的将被忽略,最后被识别的将获胜。
<meta name="referrer" content="never">
<meta name="referrer" content="no-referrer">
Also, if you want to apply it to audio, img, link, script, or videotags which require a crossoriginattribute, prefer crossorigin="anonymous"where possible, so that only the absolute minimum (the Originheader) will be shared.
另外,如果要应用它audio,img,link,script,或者video需要一个标签crossorigin属性,更喜欢crossorigin="anonymous"在可能的情况,因此,只有绝对最小值(在Origin头)将被共享。
(You can't get rid of the Originheader while using CORS because the remote sites need to know what domain is making the request in order to allow or deny it.)
(Origin在使用 CORS 时您无法删除标头,因为远程站点需要知道哪个域正在发出请求才能允许或拒绝它。)
回答by Wilfred Hughes
HTML 5 includes rel="noreferrer", which is supported in all major browsers. So for these browsers, you can simply write:
HTML 5 包含rel="noreferrer",所有主要浏览器都支持。所以对于这些浏览器,你可以简单地写:
<a href="example.com" rel="noreferrer">link</a>
There's also a shim available for other browsers: https://github.com/knu/noreferrer
还有一个适用于其他浏览器的垫片:https: //github.com/knu/noreferrer
回答by zaius
Bigmack is on the right track, but a javascript location change still sends a referrer in firefox. Using a meta refresh seems to solve the problem for me.
Bigmack 走在正确的轨道上,但 javascript 位置更改仍会在 Firefox 中发送引荐来源网址。使用元刷新似乎为我解决了这个问题。
<a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL='http://google.com/'"></html>'>Link</a>
回答by zaius
I was trying to figure this out too.
我也试图弄清楚这一点。
The solution I thought of was to use a data url to hide the actual page I am coming from.
我想到的解决方案是使用数据 url 来隐藏我来自的实际页面。
<a href='data:text/html;charset=utf-8, <html><script>window.location = "http://google.ca";</script></html>'>Link</a>
This link opens a page that only contains javascript to load a different page. In my testing no referrer is given to the final destination. I don't know what it could send as a referrer if it tried anyways, maybe the data url ? which wouldn't give away where you came from.
此链接打开一个仅包含 javascript 的页面以加载不同的页面。在我的测试中,没有向最终目的地提供推荐人。如果无论如何尝试,我不知道它可以作为推荐人发送什么,也许是数据网址?这不会泄露你来自哪里。
This works in Chrome. Chrome is my only concern for my current problem but for browsers that don't like javascript in pages that are data urls. You could probably try a meta refresh.
这适用于 Chrome。Chrome 是我目前唯一关心的问题,但对于不喜欢数据 url 页面中的 javascript 的浏览器。您可能可以尝试元刷新。
回答by Michael Cropper
In addition to the information already provided. Lots more information on the topic here: https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer
除了已经提供的信息。关于这里主题的更多信息:https: //w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer
Specifically allowing you to either send or not send referral information if you need different rules for same-origin or cross-origin requests.
如果您需要不同的同源或跨源请求规则,则特别允许您发送或不发送推荐信息。
Something to consider depending on your specific use case. i.e. if you are pulling in images/css/javascript from 3rd party websites, then you may want to not identify the URL that you are doing this from and hence would use the no-referrer option. Whereas if you are linking out to other websites from your own website, you may want them to know that you are sending them traffic. Always think through the implications of this on both sides. If there is a conflict in these two areas, then there are other options such as adding UTM tracking parameters to the end of URLs which may come in handy for some people. Full details here: https://www.contradodigital.com/2014/06/03/importance-utm-tracking-parameters-social-media/
根据您的特定用例需要考虑的事情。即,如果您从 3rd 方网站拉入图像/css/javascript,那么您可能不想识别您正在执行此操作的 URL,因此将使用 no-referrer 选项。而如果您从自己的网站链接到其他网站,您可能希望他们知道您正在向他们发送流量。始终仔细考虑这对双方的影响。如果这两个方面存在冲突,那么还有其他选项,例如在 URL 末尾添加 UTM 跟踪参数,这对某些人可能会派上用场。详情请见:https: //www.contradodigital.com/2014/06/03/importance-utm-tracking-parameters-social-media/
