Closed Bug 1433353 Opened 6 years ago Closed 6 years ago

Use referrerpolicy to send Pocket referrer when story has HTTP URL

Categories

(Firefox :: New Tab Page, defect, P1)

Product:
Firefox
Component:
New Tab Page
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 60
Iteration:
60.1 - Jan 29
Tracking Flags:
Tracking Status
firefox60 --- fixed

People

(Reporter: dveditz, Assigned: Mardak)

References

Details

Attachments

(1 file)

Link to GitHub pull-request: https://github.com/mozilla/activity-stream/pull/3953
52 bytes, text/x-github-pull-request
Details | Review 
+++ This bug was initially created as a clone of Bug #1424292 +++

Pocket referrers weren't being sent to http stories because https referrers aren't sent to http domains. This corresponds to a Referrer Policy of "no-referrer-when-downgrade", the default.

The fix in bug 1424292 was to change the Pocket referrer to use an http: URL. It works, but doesn't match our policy of encouraging secure links on the web. An alternate fix would be to add a referrerpolicy="unsafe-url" attribute to the links so that https:// referrers are sent to http: targets.

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#attr-referrerpolicy

(note that appears to be slightly out of date. for the full list of allowed policies see the Referrer Policy spec, but that list contains the one you want anyway.)

Referrerpolicy is also supported on fetch() if that's how you're loading stories. Window.open() doesn't seem to so I filed bug 1433352.
Pocket stories fake the referrer by opening with `openLinkIn` passing in a `referrerURI`:

https://searchfox.org/mozilla-central/source/browser/base/content/utilityOverlay.js#221-223

The very next line defaults the referrer policy to UNSET, so we can set it to UNSAFE instead:

"referrerPolicy" in params ? params.referrerPolicy : Ci.nsIHttpChannel.REFERRER_POLICY_UNSET

const unsigned long REFERRER_POLICY_UNSAFE_URL                 = 5;

https://searchfox.org/mozilla-central/source/netwerk/protocol/http/nsIHttpChannel.idl#77-78
Assignee: nobody → edilee
Iteration: --- → 60.1 - Jan 29
Some quick testing with a http server:

POLICY_UNSET http
”GET /foo HTTP/1.1" 301 400 "http://getpocket.com/recommendations"

POLICY_UNSET https
"GET /foo HTTP/1.1" 301 400 "-"

POLICY_UNSAFE https
"GET /foo HTTP/1.1" 301 400 "https://getpocket.com/recommendations"
Commit pushed to master at https://github.com/mozilla/activity-stream

https://github.com/mozilla/activity-stream/commit/63604da00b0931bfd9fec582c8b2e20fba05b2be
Merge pull request #3953 from Mardak/b1433353-referrer

Fix Bug 1433353 - Use referrerpolicy to send Pocket referrer when story has HTTP URL
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Blocks: 1434116
https://hg.mozilla.org/mozilla-central/rev/97b3915d56c4
status-firefox60: --- → fixed
Target Milestone: --- → Firefox 60
Component: Activity Streams: Newtab → New Tab Page
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: