Add rel="noreferrer" to external links.

Tells browsers not to send the Referer header when following external links. Among other things, this bypasses Pixiv's anti-hotlinking protection when opening direct image sources from Pixiv.
2019-10-06 01:32:14 -05:00
parent ce33cd8b02
commit 61619b719e
2 changed files with 3 additions and 3 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -80,14 +80,14 @@ module ApplicationHelper
    time_tag(time.strftime("%Y-%m-%d %H:%M"), time)
  end
-  def external_link_to(url, truncate: nil, strip: false, link_options: {})
+  def external_link_to(url, truncate: nil, strip: false, **link_options)
    text = url
    text = text.gsub(%r!\Ahttps?://!i, "") if strip == :scheme
    text = text.gsub(%r!\Ahttps?://(?:www\.)?!i, "") if strip == :subdomain
    text = text.truncate(truncate) if truncate
    if url =~ %r!\Ahttps?://!i
-      link_to text, url, {rel: :nofollow}.merge(link_options)
+      link_to text, url, rel: "noreferrer nofollow", **link_options
    else
      url
    end
--- a/app/helpers/posts_helper.rb
+++ b/app/helpers/posts_helper.rb
@@ -61,7 +61,7 @@ module PostsHelper
  def post_source_tag(post)
    # Only allow http:// and https:// links. Disallow javascript: links.
    if post.source =~ %r!\Ahttps?://!i
-      external_link_to(post.normalized_source, strip: :subdomain, truncate: 20) + "&nbsp;".html_safe + link_to("»", post.source, rel: :nofollow)
+      external_link_to(post.normalized_source, strip: :subdomain, truncate: 20) + "&nbsp;".html_safe + link_to("»", post.source, rel: "noreferrer nofollow")
    else
      truncate(post.source, length: 100)
    end