Set referrerpolicy to images when rendering rich text (#990)

robbevp · web-flow · commit 6741fca94b86 · 2026-02-21T09:30:27.000Z
diff --git a/app/lib/rich_text.rb b/app/lib/rich_text.rb
@@ -11,13 +11,15 @@ def initialize(text:)
     # Iterate over all images and unlink tracking pixels
     css('img[src]').each do |node|
       node.unlink if TrackingDetection.tracking_pixel?(node)
+
+      # Don't send referrer when requesting images
+      node.set_attribute('referrerpolicy', 'no-referrer')
     end
   end
 
   # Iterate over all urls in the document
   # If the block returns a new url, the element gets replaced
-  # rubocop:disable Metrics/AbcSize
-  def handle_img_urls(&)
+  def handle_img_urls(&) # rubocop:disable Metrics/AbcSize
     css('img[src]').each do |node|
       node.set_attribute('src', yield(node['src']))
     end
@@ -31,7 +33,6 @@ def handle_img_urls(&)
       node.set_attribute('style', urls_in_styles(node['style'], &))
     end
   end
-  # rubocop:enable Metrics/AbcSize
 
   def add_to_head(node_or_string)
     at_css('head').add_child(node_or_string)
diff --git a/test/components/entry_component_test.rb b/test/components/entry_component_test.rb
@@ -40,7 +40,8 @@ class EntryComponentTest < ViewComponent::TestCase
     render_inline(EntryComponent.new(entry:))
 
     assert_selector '.entry__iframe'
-    assert_includes page.find('.entry__iframe')[:srcdoc], '<body><div><img src="https://example.com/image.jpg"></div></body>'
+    assert_includes page.find('.entry__iframe')[:srcdoc],
+                    '<body><div><img src="https://example.com/image.jpg" referrerpolicy="no-referrer"></div></body>'
   end
 
   test 'should replace image src when proxied' do
@@ -55,7 +56,7 @@ class EntryComponentTest < ViewComponent::TestCase
 
     assert_selector '.entry__iframe'
 
-    regex = %r{<img src="/rails/active_storage/blobs/redirect/[A-Za-z\d=-]+/image.jpg">}
+    regex = %r{<img src="/rails/active_storage/blobs/redirect/[A-Za-z\d=-]+/image.jpg"}
 
     assert_match regex, page.find('.entry__iframe')[:srcdoc]
   end
diff --git a/test/lib/rich_text_test.rb b/test/lib/rich_text_test.rb
@@ -3,6 +3,14 @@
 require 'test_helper'
 
 class RichTextTest < ActiveSupport::TestCase
+  test 'should set no-referrer for all images' do
+    text = RichText.new(
+      text: '<div><img src="https://example.com/image.jpg" /></div>'
+    )
+
+    assert_includes text.to_html, '<img src="https://example.com/image.jpg" referrerpolicy="no-referrer">'
+  end
+
   # Handle_img_urls
   test 'should detect url is srcset' do
     text = RichText.new(
