<p>Mastodon Now Sends Referer Headers! Hurrah!</p><p><a href="https://shkspr.mobi/blog/2024/12/mastodon-now-sends-referer-headers-hurrah/" rel="nofollow" class="ellipsis" title="shkspr.mobi/blog/2024/12/mastodon-now-sends-referer-headers-hurrah/"><span class="invisible">https://</span><span class="ellipsis">shkspr.mobi/blog/2024/12/masto</span><span class="invisible">don-now-sends-referer-headers-hurrah/</span></a></p><p>Back in 2022, I wrote this rather grumpy post on Mastodon, the federated social media platform.</p><p></p><p></p><p></p><p><a href="https://mastodon.social/@Edent" rel="nofollow">@
[email protected] Eden</a><p>Mastodon enforces a "noreferrer" on all external links.</p><p>I have mixed feelings about that.</p><p>As a blogger, I want to see *where* visitors are coming from. I also like to see (and sometimes join in) with the conversations they're having.</p><p>But, I get that people want privacy and don't want to "leak" where they're visiting from.</p><p>Is it such a bad thing to tell a website "I was referred from this specific server"?</p><a href="https://mastodon.social/@Edent/109323917419768019" rel="nofollow">❤️ 61💬 16🔁 2907:09 - Fri 11 November 2022</a></p><p>When you click on this link - <a href="https://www.bbc.co.uk/news" rel="nofollow"><span class="invisible">https://</span>www.bbc.co.uk/news</a> - your browser says "Hey! BBC! Please can I have your /news page? BTW, I was referred here by shkspr.mobi. THANKS!" This is called the "<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer" rel="nofollow">Referer</a>" and, yes, it is <a href="https://en.wikipedia.org/wiki/HTTP_referer#Etymology" rel="nofollow">mispelt</a>.</p><p>One the one hand, sending the referer is good; it lets the linked-to server know who is linking to it. That allows them to see where traffic is coming from. On the other hand, this could be bad for much the same reason.</p><p>If you run a server anarcho_terrorists.biz, you probably don't want the FBI knowing that your members are sharing links to their pages. If you run a small personal server, you may not want anyone knowing that you personally linked to them. If you run a server for a marginalised community, you may not want a hate-site to know your members are linking to you.</p><p>But if you're a large-ish, general purpose, non-private site - like Mastodon.social - where's the harm in allowing referer headers?</p><p>Anyway, for historic reasons, Mastodon blocked the referer header. This, I believe, was sensible for smaller servers but a miss-step for larger servers. As I pointed out last week:</p><p></p><p></p><p></p><p><a href="https://mastodon.social/@Edent" rel="nofollow">@
[email protected] Eden</a><p>Two years later.</p><p>Want to know one of the major reasons Mastodon didn't catch on with journalists and large website owners?</p><p>It is *invisible* in referrer statistics.</p><p>Here's my blog from the last month.</p><p>BlueSky now sends me more traffic than Bing.</p><p>How much traffic does Mastodon send? It is impossible to know due to the "noreferrer" header in all links.</p><p>(I'm not saying your privacy isn't important. But you can't grow a community if no-one knows you exist.)</p><a href="https://mastodon.social/@Edent/113611619218784737" rel="nofollow">❤️ 305💬 57🔁 24812:48 - Sat 07 December 2024</a></p><p>I'm not the only one to make this point - it has been a popular complaint for some time.</p><p>A few days ago, <a href="https://github.com/mastodon/mastodon/pull/33214" rel="nofollow">Mastodon changed to allow this to be configurable</a>.</p><p>This is excellent news. Website owners will be able to (somewhat) accurately see how much traffic Mastodon sends them. That way they can determine if there is a suitably large audience to engage with on the Fediverse.</p><p>It is, of course, slightly more complicated than that!</p><p>Instance owners can opt-in to allowing Referer headers (it is off by default).<br>The <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#directives" rel="nofollow">policy</a> means that only the domain name is sent; not the full page.<br>Mastodon is federated and there are thousands of sites. Even if they all opted-in, their statistics will be fragmented.<br>Apps can set their own Referer header - leading to more fragmentation.<br>Even if they do opt-in, users can set their browsers not to send Referer headers.</p><p>Nevertheless, I'm delighted with this change. Hopefully it will allow the Fediverse to grow and attract more users.</p><p><a href="/tags/fediverse/" rel="tag">#fediverse</a> <a href="/tags/http/" rel="tag">#http</a> <a href="/tags/mastodon/" rel="tag">#mastodon</a></p>
