Disable ?ref_url referer tracking in tweet embeds

embeddedtweet

#1

When embedding a single tweet via twttr.widgets.createTweet, links in the tweet get ?ref_url=<url encoded current location> added to them just as they’re clicked. The links also don’t have a rel=“noreferrer” attribute set.

To protect our users’ privacy, we’d like to prevent their current URL from being leaked to third parties by default.

We have a policy to control leaking via the Referer header: https://w3c.github.io/webappsec-referrer-policy/ but that obviously doesn’t help when it’s being passed via querystring.

I’m currently using this code (with jQuery) in the callback to fix it for now:

var rootNode, links;
// Check if we've got a shadow DOM or iframe widget
if ($widget.is('twitterwidget')) {
    rootNode = $($widget[0].shadowRoot.querySelectorAll('.EmbeddedTweet'));
    links = $($widget[0].shadowRoot.querySelectorAll('a'));
} else {
    rootNode = $widget.contents().find('.EmbeddedTweet');
    links = $widget.contents().find('a');
}
links.each(function () {
    // Prevent privacy leaks
    this.rel = "noreferrer";
    // Should alread be set, but just to be safe
    this.target = "_blank";
    // Prevent sneaky ref_url injection onclick
    this.dataset.urlRefAttrsInjected = true;
});

Obviously, this workaround might break if the embeds get changed in future.

Is there an option we can use to always prevent referer leakage or will we need to keep fixing it in the embed code manually after it’s been added to the DOM? Or, if this is really important for your stats tracking, could you allow us to specify just the root URL, rather than the full private user URL?

Thanks


#3

Hi James!

Short answer: There isn’t a way to do this right now because yes, we do regard the stats as important for most of our use cases. However, I absolutely get the desire to mask customer’s identities within a larger umbrella app (whether paths or subdomains). I can’t commit immediately to whether we would offer a feature to manage this in the way you describe, but we will discuss. Thanks for bringing it up.

Ben


#4

Cheers Ben, appreciate the response.


#5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.