Closed Bug 1807537 Opened 2 years ago Closed 1 year ago

Referer is leaked when opening private tab from non-private tab

Categories

(Firefox for Android :: Privacy, defect, P2)

Product:
Firefox for Android
Component:
Privacy
Platform:
All
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox120 --- wontfix
firefox121 --- wontfix
firefox126 --- fixed

People

(Reporter: cpeterson, Assigned: jackyzy823)

References

Details

(Whiteboard: [fxdroid][foundation] [group4])

Attachments

(1 file)

Bug 1807537 - Don't send Referrer if private session is opened by a normal session. r=#geckoview-reviewers
48 bytes, text/x-phabricator-request
Details | Review

From github: https://github.com/mozilla-mobile/fenix/issues/24135.

Steps to reproduce

  1. Have this issue page open in Firefox for Android (Fenix).
  2. Long-press https://referer.rustybrick.com/ and select "Open link in private tab".
  3. Open in "Desktop site" view. (This is not part of the bug, it's just necessary for the relevant data to be visible.)

(https://referer.rustybrick.com/ was the first public website that displays referers, that I could find, that actually worked, and did not look dodgy, though the UI is pretty terrible on mobile. https://anonymiz.com/myreferer also seems to work, but looks mildly suspicious.)

Expected behaviour

"No referer." is displayed, as the referer.

Actual behaviour

"https://github.com" is displayed, as the referer.

Device name

No response

Android version

Android 11

Firefox release type

Firefox

Firefox version

97.3.0

Device logs

No response

Additional information

(Also tested on latest Firefox nightly (99.0a1).)

This is a minor privacy issue. Testing with desktop Firefox and mobile chrome, the referer is not leaked, in this situation (opening a private ("incognito" for chrome) tab from a non-private tab).

┆Issue is synchronized with this Jira Story

Change performed by the Move to Bugzilla add-on.

The severity field is not set for this bug.
:cpeterson, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(cpeterson)
Flags: needinfo?(cpeterson)

Hi QA team,
We would like to verify if this issue is still reproducible.

Thanks in advance!

Flags: qe-verify+

I just tested. This is still reproducible.

I think this is a geckoview's bug.

https://searchfox.org/mozilla-central/source/mobile/android/modules/geckoview/GeckoViewNavigation.sys.mjs#187-201

I think privateBrowsing is not taken into consideration.

changing from

          const referrerPolicy = referrerWindow.browser.referrerInfo
            ? referrerWindow.browser.referrerInfo.referrerPolicy
            : Ci.nsIReferrerInfo.EMPTY;

to

          const { contentPrincipal } = this.browser;
          const isPrivate = contentPrincipal.privateBrowsingId != 0 

          const referrerPolicy = !isPrivate && referrerWindow.browser.referrerInfo
            ? referrerWindow.browser.referrerInfo.referrerPolicy
            : Ci.nsIReferrerInfo.EMPTY;

would better.

<del>NOTE: empty will fallback to the pref value network.http.referer.defaultPolicy.pbmode ( calculated in ComputeReferrer)</del>

Edit:
Previous solution is wrong. Empty will not fallback to network.http.referer.defaultPolicy.pbmode
So we must directly set NO_REFERRER

          const { contentPrincipal } = this.browser;
          const isPrivate = contentPrincipal.privateBrowsingId != 0
          const referrerPolicy = isPrivate ?  Ci.nsIReferrerInfo.NO_REFERRER :  referrerWindow.browser.referrerInfo
             ? referrerWindow.browser.referrerInfo.referrerPolicy
             : Ci.nsIReferrerInfo.EMPTY;
Severity: -- → S3
Priority: -- → P2
Whiteboard: [fxdroid][foundation]

Hi! I can confirm it as well, it reproduces on the latest builds (RC 120.0 and latest Nightly 121.0a1)
Device used: Samsung Galaxy S23 Ultra (Android 13).

status-firefox120: --- → affected
status-firefox121: --- → affected
Flags: qe-verify+

A slight better way to reproduce:

  1. Open normal tab and load https://stackoverflow.com/questions/5725430/http-test-server-accepting-get-post-requests
  2. Click link "https://httpbin.org/headers" in the page and open link in the private tab. NOTE: the link has rel="noreferrer" attribution which make behavior different in Desktop and Firefox for Android (because Firefox for Android hasn't implemented this)
Assignee: nobody → jackyzy823
Status: NEW → ASSIGNED

Some notes:

  1. Referer policy in html element attribution is still not respected. Bug 1883291

  2. In Desktop "Open Link in new Private window" will not send referrer. ( Bug 1409226 ) So In the page of a private window , click "Open Link in new Private window" , the new page in new created private window won't has referrer.

    Should we use the same logic for Firefox Android which means a new tab opened by a private tab should have no referrer ? (As One Tab is One Window is the design of GeckoView)

Whiteboard: [fxdroid][foundation] → [fxdroid][foundation] [group4]
Pushed by m_kato@ga2.so-net.ne.jp: https://hg.mozilla.org/integration/autoland/rev/ac1d792e97df Don't send Referrer if private session is opened by a normal session. r=geckoview-reviewers,m_kato

https://hg.mozilla.org/mozilla-central/rev/ac1d792e97df

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox126: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: