Disable referrer header in DMT to prevent leaking Dojo address to third parties (!234) · Merge requests · Dojo / samourai-dojo

Luke Childs requested to merge lukechilds/samourai-dojo:lukechilds-develop-patch-06290 into develop Jun 11, 2021

Currently the referrer header is sent along with all external requests occurring from DMT. This means if the user is visiting an external link (like e.g the Telegram group links) the Dojo server address gets sent in the referer HTTP header to Telegram's server. This is worse if the server is served via a Tor hidden service which the user would assume no one they haven't shared the address with has any knowledge of it.

This change just adds <meta name="referrer" content="no-referrer" /> to the head of the document which will ensure referrer headers are not added to any requests made from DMT.

Edited Jun 11, 2021 by Luke Childs

Disable referrer header in DMT to prevent leaking Dojo address to third parties

Merge request reports