cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does strict Referrer policy impact RUM?

fstekelenburg
DynaMight Pro
DynaMight Pro

We have a customer that uses an external authentication service.

The external party did an audit which showed that the customer's Referrer Policy has a vulnerability.
Forwarding of referrer URLs from customer's closed domains is no longer desirable and therefore they need to stop this. 
The referrer policy will have the value 'no-referrer' or 'same-origin' (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
).

The question is if adjusting this setting may have consequences for the functioning of Dynatrace.

Currently they use Agentless RUM, manually injected. Where for example "app.customer.domain" is where the injection takes place, and  RUM data is sent to "activegate.customer.domain".

I happen to think that the change in Referrer policy has no direct effect on Dynatrace RUM. Dynatrace is great in detecting and measuring the use of referrers. But I want to be absolutely sure this has not impact.

1 REPLY 1

simon_schatka
Dynatrace Helper
Dynatrace Helper

As always the answer is "it depends".

There are many factors influencing the outcome:

* Are they using https(i am guessing they do)

* Are we talking about newer browsers which have Server-Timing API support?

* Do they use older jsagent versions and aws lambda support?

 

In general we have improved a few things recently with aws lambda support to make it work. There are however some limitations where we do need the referer to properly correlate a webrequest to an action. This is mostly the case when loading e.g. images during an action, because the request is triggered entirely by the browser and we can not modify the information on those requests. Those might not be correlated(see above list), because we can not 100% be sure that they match to an action and we'd rather not correlate them than correlate them wrong.

 

So the best thing is probably to try it out and see if it affects the customer in a way that is acceptable or not. But as always with almost all security relevant changes: If you get rid of data, you might also get rid of functionality.