Closed Bug 122453 Opened 18 years ago Closed 3 years ago
General policy for sending referrer information
We need to take a look at the circumstances under which we send referrer headers, product-wide. The issue keeps getting raised in particular contexts, such as mail, or included content requests like <SCRIPT SRC=...>. Rather than revisiting this issue over and over, we should come up with a general policy for when we do and don't send referrer information, and possibly add a pref to disable referrers in most or all cases. The following excerpt from RFC 2068 was quoted in an email from Dan Malmer: Note: Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information. The whole RFC is available at: http://www.faqs.org/rfcs/rfc2068.html See bug 64248. There are probably some other dependencies as well.
just a stupid comment : We should not send a referrer from any mail - it's useless
Shouldn't that be rfc2616?
Assignee: security-bugs → dveditz
QA Contact: bsharma → toolkit
This seems covered by the referrer policy spec https://w3c.github.io/webappsec-referrer-policy/ RESOLVED FIXED ? or DUPLICATE ?
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
The referrer-policy spec lets a _page_ restrict (or in fact increase) the Referer: header which is useful but kind of opposite what the spec referenced in comment 0 says. Firefox _does_ have prefs that let the user trim referrers though, so we did implement that along the way, albeit in a not very user-friendly way. https://searchfox.org/mozilla-central/source/modules/libpref/init/all.js#1457
You need to log in before you can comment on or make changes to this bug.