Commit 742cbd5
authored
fix(embeds): tighten iframe referrer policy to avoid leaking document URLs (tldraw#8412)
In order to prevent leaking document paths (e.g. room IDs, query params)
to third-party embed providers, this PR switches the `referrerPolicy` on
embed iframes from `no-referrer-when-downgrade` to
`strict-origin-when-cross-origin`.
Despite its name, `no-referrer-when-downgrade` sends the **full URL**
(including path and query string) to any HTTPS destination.
`strict-origin-when-cross-origin` sends only the **origin** (e.g.
`https://tldraw.com`) for cross-origin requests, which is all embed
providers need for domain allowlisting and analytics. This is also the
modern browser default.
Relates to tldraw#8306, tldraw#8404
### Change type
- [x] `improvement`
### Test plan
1. Paste a known embed (YouTube, Figma, Google Maps, etc.) — should
render and function normally
2. Paste an arbitrary `<iframe>` embed code — should render normally
3. Verify in DevTools Network tab that the `Referer` header sent to
embed hosts contains only the origin, not the full path
### Release notes
- Tighten iframe referrer policy for embeds to avoid leaking document
URLs to third-party embed providers.
### Code changes
| Section | LOC change |
| --------- | ---------- |
| Core code | +2 / -2 |
Made with [Cursor](https://cursor.com)1 parent 3807ada commit 742cbd5
1 file changed
Lines changed: 2 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
234 | 234 | | |
235 | 235 | | |
236 | 236 | | |
237 | | - | |
| 237 | + | |
238 | 238 | | |
239 | 239 | | |
240 | 240 | | |
| |||
337 | 337 | | |
338 | 338 | | |
339 | 339 | | |
340 | | - | |
| 340 | + | |
341 | 341 | | |
342 | 342 | | |
343 | 343 | | |
| |||
0 commit comments