Closed Bug 122453 Opened 18 years ago Closed 3 years ago

General policy for sending referrer information

Categories

(Core :: Security, defect)

defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: security-bugs, Assigned: dveditz)

References

Details

We need to take a look at the circumstances under which we send referrer
headers, product-wide. The issue keeps getting raised in particular contexts,
such as mail, or included content requests like <SCRIPT SRC=...>. Rather than
revisiting this issue over and over, we should come up with a general policy for
when we do and don't send referrer information, and possibly add a pref to
disable referrers in most or all cases. The following excerpt from RFC 2068 was
quoted in an email from Dan Malmer:

 Note: Because the source of a link may be private information or
     may reveal an otherwise private information source, it is strongly
     recommended that the user be able to select whether or not the
     Referer field is sent. For example, a browser client could have a
     toggle switch for browsing openly/anonymously, which would
     respectively enable/disable the sending of Referer and From
     information.

The whole RFC is available at:

http://www.faqs.org/rfcs/rfc2068.html

See bug 64248. There are probably some other dependencies as well.
just a stupid comment :
We should not send a referrer from any mail  - it's useless 
Shouldn't that be rfc2616?
Blocks: referer
Assignee: security-bugs → dveditz
QA Contact: bsharma → toolkit
This seems covered by the referrer policy spec
https://w3c.github.io/webappsec-referrer-policy/

RESOLVED FIXED ? or DUPLICATE ?
Flags: needinfo?(dveditz)
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(dveditz)
Resolution: --- → WORKSFORME
The referrer-policy spec lets a _page_ restrict (or in fact increase) the Referer: header which is useful but kind of opposite what the spec referenced in comment 0 says. Firefox _does_ have prefs that let the user trim referrers though, so we did implement that along the way, albeit in a not very user-friendly way.
https://searchfox.org/mozilla-central/source/modules/libpref/init/all.js#1457
You need to log in before you can comment on or make changes to this bug.