I have to link some other external sites.
I know when to use nofollow
. But I am not clear when I should use rel=noreferrer
.
You'll o ly need to use this on private pages or pages you dont want to advertise. E.g. a webmail or private bug tracker would be considered private and you don't want to leak any information to the external linked websites.
Sensitive public pages, like medical information or other sensitive topics may also want to mask the referrer header.
noreferrer
doesn't just block the HTTP referrer header, it also prevents a Javascript exploit involving window.opener
<a href="http://someurl.here" target="_blank">Link</a>
Looks innocuous enough, but there's a hole because, by default, the page that's being opened is allowing the opened page to call back into it via window.opener. There are some restrictions, being cross-domain, but there's still some mischief that can be done
window.opener.location = 'http://gotcha.badstuff';
With noreferrer
most browsers will disallow the window.opener
exploit
As @unor said, it hides referrer information when the link is clicked. Basically this is a privacy enhancement, when you want to hide information for owner of the domain of a link where is clicked that the user came from your website.
Example:
User is on your website www.mywebsite.com, there you have a <a href="https://newsite.com">Link</a>
when someone clicks the "Link" the owner of newsite.com knows it came from www.mywebsite.com. By setting rel=noreferrer
you prevent revealing this information.
A good example how it works is starting from 21:28 of this conference talk. This is considered to be a good practice when working with server-side (e.g. Node.js). You can also read about this on the Helmet documentation.
In short, the noreferrer
link type hides referrer information when the link is clicked. A link with the noreferrer
link type looks something like this:
<a href="http://www.example.com" rel="noreferrer">Click here for more info</a>
If someone arrives at your site from a link that uses this link type, your analytics won't show who refered that link. Instead, it will mistakenly show as direct traffic in your acquisition channels report.
If you have an external link to someone else's site you don't trust and you want to hide referrer information then you can combine both and use
<a href="http://example.com/sample_page/" rel="noreferrer nofollow">Other Domain Link</a>
I advise you to use nofollow
links for the following content:
nofollow
the outbound links