https://community.dynatrace.com/t5/Real-User-Monitoring/Does-strict-Referrer-policy-impact-RUM/m-p/178841#M3477 <P>As always the answer is "it depends".</P><P>There are many factors influencing the outcome:</P><P>* Are they using https(i am guessing they do)</P><P>* Are we talking about newer browsers which have Server-Timing API support?</P><P>* Do they use older jsagent versions and aws lambda support?</P><P>&nbsp;</P><P>In general we have improved a few things recently with aws lambda support to make it work. There are however some limitations where we do need the referer to properly correlate a webrequest to an action. This is mostly the case when loading e.g. images during an action, because the request is triggered entirely by the browser and we can not modify the information on those requests. Those might not be correlated(see above list), because we can not 100% be sure that they match to an action and we'd rather not correlate them than correlate them wrong.</P><P>&nbsp;</P><P>So the best thing is probably to try it out and see if it affects the customer in a way that is acceptable or not. But as always with almost all security relevant changes: If you get rid of data, you might also get rid of functionality.</P> Tue, 18 Jan 2022 15:38:56 GMT simon_schatka 2022-01-18T15:38:56Z https://community.dynatrace.com/t5/Real-User-Monitoring/Does-strict-Referrer-policy-impact-RUM/m-p/176926#M3267 <P>We have a customer that uses an external authentication service.<BR /><BR />The external party did an audit which showed that the customer's<SPAN class=""><SPAN class=""><SPAN>&nbsp;Referrer Policy has a vulnerability.</SPAN></SPAN><BR /><SPAN class=""><SPAN>Forwarding of referrer URLs from customer's closed domains is no longer desirable and therefore they need to stop this.&nbsp;</SPAN></SPAN><BR /><SPAN class="">The referrer policy will have the value 'no-referrer' or 'same-origin' (see <A href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy" target="_blank" rel="noopener">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy</A></SPAN></SPAN><SPAN class=""><SPAN class="">).</SPAN><BR /><BR /><SPAN class=""><SPAN>The question is if adjusting this setting may have consequences for the functioning of Dynatrace. </SPAN></SPAN></SPAN></P><P><SPAN class=""><SPAN class=""><SPAN>Currently they use Agentless RUM, manually injected. Where for example "app.customer.domain" is where the injection takes place, and&nbsp; RUM data is sent to "activegate.customer.domain".<BR /><BR />I happen to think that the change in Referrer policy has no direct effect on Dynatrace RUM. Dynatrace is great in detecting and measuring the use of referrers. But I want to be absolutely sure this has not impact.</SPAN></SPAN></SPAN></P> Fri, 03 Dec 2021 14:57:34 GMT https://community.dynatrace.com/t5/Real-User-Monitoring/Does-strict-Referrer-policy-impact-RUM/m-p/176926#M3267 fstekelenburg 2021-12-03T14:57:34Z https://community.dynatrace.com/t5/Real-User-Monitoring/Does-strict-Referrer-policy-impact-RUM/m-p/178841#M3477 <P>As always the answer is "it depends".</P><P>There are many factors influencing the outcome:</P><P>* Are they using https(i am guessing they do)</P><P>* Are we talking about newer browsers which have Server-Timing API support?</P><P>* Do they use older jsagent versions and aws lambda support?</P><P>&nbsp;</P><P>In general we have improved a few things recently with aws lambda support to make it work. There are however some limitations where we do need the referer to properly correlate a webrequest to an action. This is mostly the case when loading e.g. images during an action, because the request is triggered entirely by the browser and we can not modify the information on those requests. Those might not be correlated(see above list), because we can not 100% be sure that they match to an action and we'd rather not correlate them than correlate them wrong.</P><P>&nbsp;</P><P>So the best thing is probably to try it out and see if it affects the customer in a way that is acceptable or not. But as always with almost all security relevant changes: If you get rid of data, you might also get rid of functionality.</P> Tue, 18 Jan 2022 15:38:56 GMT https://community.dynatrace.com/t5/Real-User-Monitoring/Does-strict-Referrer-policy-impact-RUM/m-p/178841#M3477 simon_schatka 2022-01-18T15:38:56Z