Open Bug 1585417 Opened 6 years ago Updated 3 years ago

Allow to add exceptions to spoofSource network user pref

Categories

(Core :: DOM: Security, enhancement, P5)

Product:
Core
Component:
DOM: Security
Version:
68 Branch
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: u601362, Unassigned)

Details

(Whiteboard: [domsecurity-backlog])

+++ This bug was initially created as a clone of Bug #1578015 +++

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Enable the user_pref "network.http.referer.spoofSource" (set to true)
Login to Google Mail which redirects to accounts.google.com.
Google sends a login request to your registered devices (when you set them up to use for 2 factor authentication).

Actual results:

Immediately after the login page of Google in my Firefox tab sends the login request and it appears on my device, an error popup appears on the login page inside firefox.
This does not occur anymore when I set network.http.referer.spoofSource to "false" again.

Expected results:

I want to be able to specify a list of FQDNs for which the network.http.referer.spoofSource setting will not be applied, for example, accounts.google.com

Component: Security → DOM: Security

Potentially we could do that. Thomas what do you think?

Blocks: refactor-referrer-policy-setup
Flags: needinfo?(tnguyen)

(In reply to sunrisechain from comment #0)

I want to be able to specify a list of FQDNs for which the network.http.referer.spoofSource setting will not be applied, for example, accounts.google.com

I am not quite sure if there's a strong purpose doing that, am I missing anything? Mostly the prefs are used to study how the web reacts with different referrers and see the rate of breakages. Why we should add a whitelist of "broken website" when trying to see how many breakages.
Besides, nowadays the pref is not used widely. The pref is to send a fake referrer (using target uri), but people more often to remove referrer completely (cross-origin with XOriginPolicy or completely with sendRefererHeader).

Flags: needinfo?(tnguyen)

I don't understand what you mean by "Why we should add a whitelist of "broken website" when trying to see how many breakages."

There should just be an easy way to fix the broken "tap on your phone" 2-step verification mechanism on accounts.google.com. As it was broken by the spoofSource property, I just think its straight forward to disable the "cause" for the malfunction with an exception while keeping up spoofing the source for all other web pages which I potentially distrust.

". but people more often to remove referrer completely (cross-origin with XOriginPolicy or completely with sendRefererHeader)."

I don't understand how I would set this up and whether this gives me complete privacy as well and what other side effects may have.

The hidden spoofSource preference is not a supported option in Firefox. It's a developer/debugging tool with rough edges that works "well enough" that we can't dedicate work to embellish. This is something the open source community will have to contribute if it's wanted.

Priority: -- → P5
Whiteboard: [domsecurity-backlog]

What exactly doe you think is needed?

Would you accept just the exceptional part or would you require the community to cut off these "rough edges" first?

Ping

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.