Burp Suite User Forum

Create new post

"Cross-domain Referer leakage" is reported despite referrerpolicy attribute

Tobias | Last updated: Sep 11, 2023 12:30PM UTC

Hello, an active scan on one of our applications reports a "Cross-domain Referer leakage". Taking a look at the response tab in Burpsuite, the following snippet is highlighted: <a class="info-box" target="_blank" referrerpolicy="no-referrer" href="https://moodle/"> Shouldn't the attribute "referrerpolicy" prevent this leak or did I miss something? We don't set the http-header value because we only want to prevent transmitting the referrer from specific links. Thanks for any hints in advance!

Syed, PortSwigger Agent | Last updated: Sep 12, 2023 09:08AM UTC

Hi Tobais, Yeah, looks like this one's a false positive. I will let the right people know about this. Thank you for sharing this.

Tobias | Last updated: Sep 12, 2023 10:03AM UTC

Thanks for checking this topic. Just keep me posted, if you know more about it or get feedback. Thanks :)

Syed, PortSwigger Agent | Last updated: Sep 12, 2023 10:44AM UTC

Will do. Thank you Tobias.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.