-
Suggestion
-
Resolution: Won't Fix
-
None
-
None
Currently when external links are entered into Confluence pages, the link points directly to the linked page. This allows the linked site to harvest internal addresses (potentially containing page titles) of a private Confluence instance by logging the browser referrer header.
Confluence should have an option to enable "safe external links". This should include two features: allow the administrator to specify a list of "safe sites" (such as all internal servers) where linking can be direct. Then, if safe linking is enabled, Confluence would link to any pages which aren't on the safe list through an redirect page which would clear the browser referrer.
- is duplicated by
-
- Closed
- is related to
-
- Closed
[CONFSERVER-4085] Safe external links
Also see related KB article on this topic with other possible workarounds mentioned:
https://confluence.atlassian.com/confkb/how-do-i-hide-referrer-info-to-linked-external-sites-779293508.html
Simply add "<meta name="referrer" content="no-referrer" />" into each page. See https://stackoverflow.com/questions/6817595/remove-http-referer and https://w3c.github.io/webappsec-referrer-policy for the background. It can be done in Conflucence config "Custom HTML" -> "At end of the HEAD"
Christopher Owen [Atlassian]
added a comment - because file URLs are not globally addressable anyway - there's no point in sending them
Christopher Owen [Atlassian]
added a comment - because file URLs are not globally addressable anyway - there's no point in sending them 
Peter Smith (Atlassian)
added a comment - yep - i just confirmed.
i wouldn't have thought of that - no referer from file:// .
Is there any reason why that would/should not send a referer?
man - things just got more complicated.
Peter Smith (Atlassian)
added a comment - yep - i just confirmed.
i wouldn't have thought of that - no referer from file:// .
Is there any reason why that would/should not send a referer?
man - things just got more complicated. Christopher Owen [Atlassian]
added a comment - Ahh - stupid me, it was probably because I used a HTML file from a file:// URL, of course that won't be reported as a referer. So I was right to begin with 
Christopher Owen [Atlassian]
added a comment - Ahh - stupid me, it was probably because I used a HTML file from a file:// URL, of course that won't be reported as a referer. So I was right to begin with Peter Smith (Atlassian)
added a comment - hmmm...are you sure about that? i just reached the opposite conclusion.
i started at test.html, clicked a link to destination.jsp, which immediately redirected via a 'Location:' header to destination2.jsp, and here's what I got:
destination2.jsp...
host: localhost:8080
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: en-us,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
referer: http://localhost:8080/test.html
cookie: JSESSIONID=3EB1E195C34AEB453A416FF21CBCDD0B
Notice the referer. Hmmmm.
Peter Smith (Atlassian)
added a comment - hmmm...are you sure about that? i just reached the opposite conclusion.
i started at test.html, clicked a link to destination.jsp, which immediately redirected via a 'Location:' header to destination2.jsp, and here's what I got:
destination2.jsp...
host: localhost:8080
user-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: en-us,en;q=0.5
accept-encoding: gzip,deflate
accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
keep-alive: 300
connection: keep-alive
referer: http: //localhost:8080/test.html
cookie: JSESSIONID=3EB1E195C34AEB453A416FF21CBCDD0B
Notice the referer. Hmmmm.
Christopher Owen [Atlassian]
added a comment - It looks like Firefox doesn't send the referer on redirect, so it might be viable despite what I read. I'm not sure that any specific behaviour is specified in the HTTP spec about it though so I'm not sure how consistent this behaviour is.
Christopher Owen [Atlassian]
added a comment - It looks like Firefox doesn't send the referer on redirect, so it might be viable despite what I read. I'm not sure that any specific behaviour is specified in the HTTP spec about it though so I'm not sure how consistent this behaviour is. Christopher Owen [Atlassian]
added a comment - I've read that redirection via anything other than a meta-refresh header will still send the referer URL but I haven't verified this myself. I should clarify also that proxies aren't 100% effective if you allow your site to be accessed from networks not under the outbound proxy's control.
Christopher Owen [Atlassian]
added a comment - I've read that redirection via anything other than a meta-refresh header will still send the referer URL but I haven't verified this myself. I should clarify also that proxies aren't 100% effective if you allow your site to be accessed from networks not under the outbound proxy's control. Peter Smith (Atlassian)
added a comment - I'd be curious to test the redirect stuff out - see what does what. Guess it'd be easy enough to test.
Would we implement something like this for hosted?
Peter Smith (Atlassian)
added a comment - I'd be curious to test the redirect stuff out - see what does what. Guess it'd be easy enough to test.
Would we implement something like this for hosted? 
I need somehow inject custom meta tag or http header `Referrer-Policy` to avoid exposing confluence URL to the 3rd party web site.
Self hosting confluence seems customize HTML but confluence cloud cannot modify the HTML tag.
https://user-images.githubusercontent.com/98103/181234698-27fec1e2-ac1f-463f-a0ae-73b0be7fc224.png