Add rel=noreferrer to Exit this page link

[gregtyler]

Related component

Exit this page

Context

When exiting the service, the target website by default has knowledge of the referring page within the service. The target website therefore could show a message like "Thank you for visiting us from X", which would undermine the intention of the exit route and potentially put the user at risk.

This can be somewhat mitigated by choosing sensible exit sites, but since we have no control over external website's content their behaviour cannot be guaranteed.

By adding the rel="noreferrer" attribute to the link, the target website will not be passed the referrer's information by the browser and it will instead behave as if the user has visited the target website directly.

Alternatives

There is also rel="noopener", which prevents setting the window.opener property on the target site. rel=noreferrer provides this functionality and strips out the "Referer" header.

Additional information (if applicable)

• Original slack thread
• NB: the Referer is knowingly misspelt in the HTML spec and all implementations
• The attribute has wide support. Where unsupported, it is just ignored and acts as if not provided.

[owenatgov]

Thanks a lot for raising this @gregtyler. Seems sensible and low effort.

It's also outlined that we forgot to add an attributes param to the nunjucks macro which could've been a stop gap in our guidance. This should be a default attribute for the component but I think we can also add support for passing custom attributes to the component as part of this.

[querkmachine]

As an additional thought, should we include the nofollow value as well? This would indicate to search engines that the link is not endorsed by GOV.UK for the purposes of determining search rankings.

Probably a minor thing but as we're linking off to external services, we may want to make that relationship clear.