What you need to know about Referrer Policy

If you’re running WordPress, did you notice a recent change in your analytics where more traffic is being attributed to direct traffic or a no-referral bucket? When WordPress updated to 4.7.4, the text editor TinyMCE also updated, and this is where the problem actually lies.

In November 2016, TinyMCE added a security update that added rel=”noopener noreferrer” on links with target=”_blank”. This has since been changed to remove the noreferrer part in TinyMCE, but I don’t believe WordPress has this update yet. With this, traffic that should count as referral traffic may be misattributed.


TinyMCE should have left the security fix alone after adding noopener, and in a newer release they did remove noreferrer. The noopener tag is meant to close a security issue with target=”_blank” called reverse tabnabbing, which grants partial access to the previous page via the window.opener object. Basically, it can prevent a phishing attack by not allowing access to the window.opener object. With access, a simple phishing attack could change the window.opener.location to another page rather than the previous one or inject JavaScript on the previous page.

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInPin on PinterestShare on RedditShare on StumbleUponDigg thisShare on TumblrPrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *