122453 - General policy for sending referrer information

Status: RESOLVED WORKSFORME

(Core :: Security, defect)

Description

[Mitchell Stoltz (not reading bugmail)]

We need to take a look at the circumstances under which we send referrer
headers, product-wide. The issue keeps getting raised in particular contexts,
such as mail, or included content requests like <SCRIPT SRC=...>. Rather than
revisiting this issue over and over, we should come up with a general policy for
when we do and don't send referrer information, and possibly add a pref to
disable referrers in most or all cases. The following excerpt from RFC 2068 was
quoted in an email from Dan Malmer:

 Note: Because the source of a link may be private information or
     may reveal an otherwise private information source, it is strongly
     recommended that the user be able to select whether or not the
     Referer field is sent. For example, a browser client could have a
     toggle switch for browsing openly/anonymously, which would
     respectively enable/disable the sending of Referer and From
     information.

The whole RFC is available at:

http://www.faqs.org/rfcs/rfc2068.html

See bug 64248. There are probably some other dependencies as well.

Comment 1

[Matthias Versen [:Matti]]

just a stupid comment :
We should not send a referrer from any mail  - it's useless 

Comment 2

[tenthumbs]

Shouldn't that be rfc2616?

Comment 3

[David Bruant]

This seems covered by the referrer policy spec
https://w3c.github.io/webappsec-referrer-policy/

RESOLVED FIXED ? or DUPLICATE ?

Comment 4

[Daniel Veditz [:dveditz]]

The referrer-policy spec lets a _page_ restrict (or in fact increase) the Referer: header which is useful but kind of opposite what the spec referenced in comment 0 says. Firefox _does_ have prefs that let the user trim referrers though, so we did implement that along the way, albeit in a not very user-friendly way.
https://searchfox.org/mozilla-central/source/modules/libpref/init/all.js#1457