When embedding a single tweet via twttr.widgets.createTweet, links in the tweet get ?ref_url=<url encoded current location> added to them just as they’re clicked. The links also don’t have a rel=“noreferrer” attribute set.
To protect our users’ privacy, we’d like to prevent their current URL from being leaked to third parties by default.
We have a policy to control leaking via the Referer header: https://w3c.github.io/webappsec-referrer-policy/ but that obviously doesn’t help when it’s being passed via querystring.
I’m currently using this code (with jQuery) in the callback to fix it for now:
var rootNode, links;
// Check if we've got a shadow DOM or iframe widget
if ($widget.is('twitterwidget')) {
rootNode = $($widget[0].shadowRoot.querySelectorAll('.EmbeddedTweet'));
links = $($widget[0].shadowRoot.querySelectorAll('a'));
} else {
rootNode = $widget.contents().find('.EmbeddedTweet');
links = $widget.contents().find('a');
}
links.each(function () {
// Prevent privacy leaks
this.rel = "noreferrer";
// Should alread be set, but just to be safe
this.target = "_blank";
// Prevent sneaky ref_url injection onclick
this.dataset.urlRefAttrsInjected = true;
});
Obviously, this workaround might break if the embeds get changed in future.
Is there an option we can use to always prevent referer leakage or will we need to keep fixing it in the embed code manually after it’s been added to the DOM? Or, if this is really important for your stats tracking, could you allow us to specify just the root URL, rather than the full private user URL?
Thanks
