diff --git a/docs/images-and-visitor-metrics.md b/docs/images-and-visitor-metrics.md index 7d18c81..c7e51b1 100644 --- a/docs/images-and-visitor-metrics.md +++ b/docs/images-and-visitor-metrics.md @@ -68,9 +68,10 @@ bots. Compare `d7` after a full week, `d30` after thirty days. (Admin shows this Privacy unchanged: only a salted `visitor_hash` is stored (no IP, no raw token, no fingerprint). -### Optional (not done) — homepage hero referrer -For `remote` images, article cards and the share page use ``, so -the publisher CDN doesn't get the referring URL. The homepage hero (`.news-plate`) is a CSS -`background-image`, which can't carry that policy, so it leaks the referrer (not the IP — that's -unavoidable for any remote image). Converting the hero to a real `` -would make it consistent. Deferred pending an owner decision (touches the cover/contain hero rendering). +### Referrer suppression on remote images +Every on-site image request for a `remote` source sets `referrerpolicy="no-referrer"` so the +publisher CDN doesn't get the referring URL: article cards, the share page, AND the homepage hero +(converted from a CSS `background-image` to a real `` — the retry probe sets +`probe.referrerPolicy='no-referrer'` too). This hides the *referrer*, **not** the visitor's IP — +any remote image necessarily exposes the IP to the CDN. For zero third-party image requests, the +source must be `none` or explicitly cleared for local caching (`cache`).