From f314460b7c9ec74b1cffe6902119f7765215370d Mon Sep 17 00:00:00 2001
From: Joel Purra <code+github@joelpurra.com>
Date: Tue, 27 Jan 2015 12:11:07 +0100
Subject: [PATCH] referer: HTML5 browsers no longer leak pad through HTTP
 referer header

Added `rel="noreferrer"` to automatically generated links in the main pad window
as well as the chat window.

`rel="noreferrer"` is part of the HTML5 standard. While browser support isn't
100%, it's better than nothing. Future alternative solutions with wider browser
support, such as intermediary redirect pages, are unaffected by this change.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
---
 src/static/js/domline.js   | 5 ++++-
 src/static/js/pad_utils.js | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/static/js/domline.js b/src/static/js/domline.js
index 100ce0919..7904029bd 100644
--- a/src/static/js/domline.js
+++ b/src/static/js/domline.js
@@ -198,7 +198,10 @@ domline.createDomLine = function(nonEmpty, doesWrap, optBrowser, optDocument)
         {
           href = "http://"+href;
         }
-        extraOpenTags = extraOpenTags + '<a href="' + Security.escapeHTMLAttribute(href) + '">';
+        // Using rel="noreferrer" stops leaking the URL/location of the pad when clicking links in the document.
+        // Not all browsers understand this attribute, but it's part of the HTML5 standard.
+        // http://www.w3.org/TR/html5/links.html#link-type-noreferrer
+        extraOpenTags = extraOpenTags + '<a href="' + Security.escapeHTMLAttribute(href) + '" rel="noreferrer">';
         extraCloseTags = '</a>' + extraCloseTags;
       }
       if (simpleTags)
diff --git a/src/static/js/pad_utils.js b/src/static/js/pad_utils.js
index ef675dc75..855dd82b1 100644
--- a/src/static/js/pad_utils.js
+++ b/src/static/js/pad_utils.js
@@ -223,7 +223,10 @@ var padutils = {
         var startIndex = urls[j][0];
         var href = urls[j][1];
         advanceTo(startIndex);
-        pieces.push('<a ', (target ? 'target="' + Security.escapeHTMLAttribute(target) + '" ' : ''), 'href="', Security.escapeHTMLAttribute(href), '">');
+        // Using rel="noreferrer" stops leaking the URL/location of the pad when clicking links in the document.
+        // Not all browsers understand this attribute, but it's part of the HTML5 standard.
+        // http://www.w3.org/TR/html5/links.html#link-type-noreferrer
+        pieces.push('<a ', (target ? 'target="' + Security.escapeHTMLAttribute(target) + '" ' : ''), 'href="', Security.escapeHTMLAttribute(href), '" rel="noreferrer">');
         advanceTo(startIndex + href.length);
         pieces.push('</a>');
       }