If you’re running WordPress, did you notice a recent change in your analytics where more traffic is being attributed to direct traffic or a no referral bucket?When WordPress updated to 4.7.4,the text editor TinyMCE also updated, and this is where the problem actually lies.

TinyMCE should have left the security fix alone after adding noopener, and in a newer release they did remove noreferrer.The noopener tag is meant to close a security issue with target=”_blank” called reverse tabnabbing, which grants partial access to the previous page via the window.opener object. Basically, it can prevent a phishing attack by not allowing access to the window.opener object.With access, a simple phishing attack could change the window.

Noreferrer is meant to strip the HTTP referrer header (technically the “referer header” because of an old misspelling) and is intended to not pass this value between pages. The referrer header is meant to pass information about the previous web page to the new web page, so if I go from Page A to Page B, then the URL from Page A will be passed in the header, and I will know that the traffic came from Page A.

A lot of people confused “noopener noreferrer” with “nofollow.” Many forums and Q&A sites mistook these tags to indicate links weren’t passing value, as is the case with nofollow links, but that’s simply not true.Noopener noreferrer will not have any impact on your SEO, but noreferrer will create problems with your analytics.By stripping the referral value, the traffic from these links will be misattributed — instead of showing as referral traffic, they will be attributed as “direct” in Google Analytics.

A primer on Referrer Policy
Referrer Policy is used to determine what information is sent along with the requests.Many people know, for instance, that the referral value is stripped when going from a page using HTTPS to a page using the HTTP protocol, but did you know that’s because this is the default setting for the Referrer Policy if nothing is specified?Technically, this is “no-referrerwhendowngrade,” which means it will strip the referral when downgrading to an insecure request like switching from HTTPS to HTTP.You don’t have to use the default setting, though.In the case of the WordPress example we looked at earlier, noreferrer was added to the rel element on links set to open in a new window.This caused enough of an issue by itself,but there are many other ways that the Referral Policy can be set, including at a page level, which can wreak havoc on your analytics.

Referrer Policies
Referrer Policy isn’t just for removing the referral value; it’s for giving you control of the value.One of the things often missed whenmoving from HTTP to HTTPS is setting a referrer policy.Most people accept as fact that you lose the referral value when going from an HTTPS website to an HTTP website, but you don’t have to lose the referral value on downgrade requests if letting insecure websites know that you sent them traffic is important to your business model.

Referrer Policy options

*No-referrer — No referrer information is sent.

*No-referrer-when-downgrade — This is the default behavior if no policy is specified.It always passes the full path and will pass a value from HTTPS > HTTPS but not HTTPS > HTTP.

*Origin — Sends the domain but not the full path.

*Origin-when-cross-origin — Sends the full path when on the same domain, but only the domain when passing to another website.

*Same-origin — Sends the full path if it’s the same domain, but strips the value if going to another website.

*Strict-origin — Sends the domain for HTTPS > HTTPS and HTTP > HTTP, but not HTTPS > HTTP.

*Strict-origin-when-cross-origin — Sends the full path if on the same domain and from one secure page to another, sends the domain if going from HTTPS on one domain to another domain, and doesn’t pass if going from a secure domain to an insecure domain.

*Unsafe-url — Sends the full path.


Peter Zmijewski is the founder and CEO at KeywordSpy.His expert knowledge on Internet Marketing practices and techniques has earned him the title “Internet Marketing Guru“ He is also an innovator, investor and entrepreneur widely recognized by the top players in the industry.