Hacker News new | past | comments | ask | show | jobs | submit login

This technique (redirecting through some dummy ?url=... page) is a common way of doing an external redirect on any service you're building. It's a simple way of making it impossible to see the actual Referer to external website, which is more secure to your data and the service you're building (e.g. Gmail).



There's a standard way to do that, which is to add a rel="noreferrer" tag to your outgoing links.


Code usually doesn't carry final HTML in its data structures, whereas converting a URL in a single place where it's extracted is easy. In other words, making sure you didn't miss to put rel=noreferrer everywhere is way harder.


And it still makes somewhat sense to not entirely rely on it, given people still use browsers that do not support it.


> It's a simple way of making it impossible to see the actual Referer to external website

It's about tracking outbound links, not about masking the referrer. As already mentioned, there are standard ways for that.


Tracking can be done in JS via onclick event also. What makes you so sure it's not about masking referrer?


Because I've done tracking like that for several years, lots of services are still doing it this way and because rel="noopener" or rel="noreferrer" is the way to go if you want to mask the referrer. Even Google recommends to do it that way[0].

If you are not using it for tracking, there is no point in doing it like this after all.

[0] https://developers.google.com/web/tools/lighthouse/audits/no...


But browsers seem to have stopped giving out referrer some years back.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: