When should I use rel=noreferrer?
As @unor said, it hides referrer information when the link is clicked. Basically this is a privacy enhancement for when you want to hide from the owner of the linked domain that the user came from your website.
Example:
User is on your website www.mywebsite.com, there you have a <a href="https://newsite.com">Link</a>
. When someone clicks the "Link" the owner of newsite.com knows it came from www.mywebsite.com. By setting rel=noreferrer
you prevent revealing this information.
A good example how it works is starting from 21:28 of this conference talk. This is considered to be a good practice when working with server-side (e.g. Node.js). You can also read about this on the Helmet documentation.
noreferrer
doesn't just block the HTTP referrer header, it also prevents a Javascript exploit involving window.opener
<a href="http://someurl.here" target="_blank">Link</a>
Looks innocuous enough, but there's a hole because, by default, the page that's being opened is allowing the opened page to call back into it via window.opener. There are some restrictions, being cross-domain, but there's still some mischief that can be donewindow.opener.location = 'http://gotcha.badstuff';
With noreferrer
most browsers will disallow the window.opener
exploit
In short, the noreferrer
link type hides referrer information when the link is clicked. A link with the noreferrer
link type looks something like this:
<a href="http://www.example.com" rel="noreferrer">Click here for more info</a>
If someone arrives at your site from a link that uses this link type, your analytics won't show who refered that link. Instead, it will mistakenly show as direct traffic in your acquisition channels report.
If you have an external link to someone else's site you don't trust and you want to hide referrer information then you can combine both and use
<a href="http://example.com/sample_page/" rel="noreferrer nofollow">Other Domain Link</a>
I advise you to use nofollow
links for the following content:
- Links in comments or on forums - Anything that has user-generated content is likely to be a source of spam. Even if you carefully moderate, things will slip through.
- Advertisements & sponsored links - Any links that are meant to be advertisements or are part of a sponsorship arrangement must be nofollowed.
- Paid links - If you charge in any way for a link (directory submission, quality assessment, reviews, etc.),
nofollow
the outbound links