blog!

jornfranke@mastodon.online

@Edent Referrer are not the only solution to your problem and probably also a bad one given the security issues of referrers. You can attach to your URLs simply a parameter indicating that they come from Mastodon. Many popular news sites do it like this.

edent@mastodon.social

@jornfranke After reading my blog post, what do you think the security issues are of Referers?

john_fisherman@mastodon.social

@Edent thanks for sharing. This would be helpful for me, I don't have stats to tell my coworkers Mastodon is worth our limited time.

Also, I think it just makes for a more interconnected web, if we are aware of each other's visits.

But I'm also aware of my white European privilege, so curious to hear about the drawbacks here other than "SECURITY!".

Is there a timeline for this release?

edent@mastodon.social

@john_fisherman It is live now.

In terms of drawbacks - if you're on a small or niche server, you possibly don't want to turn it on.

If you're on a larger more general server, there are no drawbacks.

jornfranke@mastodon.online

@Edent They may give information away that should not be shared. People often configure referrers wrongly in the server.

It will give you anyway not full tracking capabilities, e.g. if you share links from Mastodon via Messengers, you do not know where the link originally comes from.
Referrer can be even easier than URL parameters suppressed.

Using referrers looks to me like the wrong solution.

john_fisherman@mastodon.social

@Edent cool. Is this live also for mastodon.social? Do you see it on your end?

edent@mastodon.social

@jornfranke
I'm not sure if you read the post, but it seems like all your objections are answered in it.

edent@mastodon.social

@john_fisherman Yup!
https://mastodon.social/deck/@Edent/113650721839311875

jornfranke@mastodon.online

@Edent I have read the post and it does not address any of the concerns I stated before. Furthermore, it is also misleading as referrer can disclose much more information than the domain (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy).

I strongly recommend to avoid hosts that have any other referrer policy than no-referrer.

edent@mastodon.social

@jornfranke

john_fisherman@mastodon.social

@Edent cc @hugo

Can we have this for @fumacapt and friends? ️

osma@mas.to

@Edent
What does this mean for an app user? I haven't gone to check, but presumably this affects the browser behavior of the follower, based on their own server's setting, not the poster or their server. I can't see it changing anything for someone not using the Mastodon web UI, though. Am I wrong?

edent@mastodon.social

@osma did you read the blog post?

osma@mas.to

@Edent
I did. I didn't notice you mentioning this. Perhaps I wasn't paying attention.

osma@mas.to

@Edent
> Apps can set their own Referer header - leading to more fragmentation.

Apps have always been able to do this, right? So it has no bearing on the server setting.

edent@mastodon.social

@osma yup!

edent@mastodon.social

The top 10 referring sites to my blog today.

Great to see Mastodon(.social) finally appearing in there.

(Read the blog post above for more details.)

hipska@mastodon-belgium.be

@Edent that will then only be the ones using that specific instance AND using the web interface I assume? Real numbers are likely much higher.

edent@mastodon.social

@Hipska
(Read the blog post above for more details.)

edent@mastodon.social

After a couple of weeks, Mastodon(.social) is now consistently in the top 10 HTTP referers to my blog.

Hope to see some of the bigger instances turn this on soon.