What's Up with Mastodon and "Referer" Headers?

May 19, 2024

One thing that’s helped me keep up with blogging this month is seeing my web analytics numbers go up. I maybe check my analytics too often, but at least it’s a good motivator to be productive.

I’ve known for a while that Mastodon doesn’t send HTTP Referer headers 1 for outgoing links via the web app, but it’s always slightly annoyed me. I still get visitor data for people coming from Mastodon, I just can’t tell that Mastodon sent them.

This isn’t really that big a deal. Most people don’t use web clients for social media services, and the mobile/native clients don’t send referral data. Still, I do see referral headers for some web traffic from Bluesky and Threads in my stats. I was curious why it’s not the same for Mastodon.

In late 2019, Eugen Rochko, the CEO/lead developer of Mastodon, approved a pull request that added the noreferrer keyword to the rel attribute on links. Later, in 2022, someone opened a GitHub issue requesting that some default value be added for referrals from Mastodon. Rochko then said that the change was made “more or less by accident”, and that it was “missed during review”. Regardless, you can see by the tone of the thread in the GitHub issue that the community didn’t want this changed back.

There are definitely security implications to the Referer header, the original intent was to use Referrer-Policy: origin. In that case, the only piece of information that would leak via link clicks would be the domain of the Mastodon instance. That seems like a reasonable tradeoff to me, but the community still had concerns. The main one being that that malicious users could trace back links to a specific Mastodon instance to harass users. That’s true, and I understand the worry, but malicious users could still trace links back to an instance unless it blocks all web crawlers… and those crawlers honour your blocking request. Mastodon is still part of the open web, after all. Still this does offer another level of protection. Anyway, eventually the issue was closed and all Mastodon links still contain both noreferrer and noopener keywords in the rel attribute.

I was mostly coming at this from a curiosity angle, and I understand the privacy concerns, but I also worry that this isn’t great for Mastodon in the long term. I don’t get a lot of web traffic from other social platforms — but I get none from Mastodon. I think this will only make Mastodon more anonymous for people looking at analytics. If I ever decide I really care about tracking Mastodon traffic on my links in detail, I’ll likely add UTM parameters for links I post to my own site.

  1. I only realized today that “Referer” isn’t spelled correctly. Apparently this is a spelling mistake that was locked into the specification in 1996. I guess I’ve gotten away this long without realizing it because I’ve been saved by HTTP libraries?