change default referer setting

NEW
Unassigned

Status

()

Core
Networking: HTTP
4 years ago
12 days ago

People

(Reporter: eyal gruss (eyaler), Unassigned)

Tracking

(Depends on: 1 bug, Blocks: 2 bugs, {privacy})

Trunk
privacy
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-would-take])

(Reporter)

Description

4 years ago
I suggest we change the default referer behavior to minimize cross-site information leakage. 
I believe a reasonable setting which balances usability and privacy would be:
send full URI if base domains match
trim to host otherwise

Comment 1

4 years ago
> I believe a reasonable setting which balances usability and privacy would be:
> send full URI if base domains match
> trim to host otherwise

That's still a privacy leak - the target site gets to know which site I was at.

Personally, I think the best default would be:
* send full URI if base domains match
* send host of target otherwise

Comment 2

4 years ago
(In reply to Ben Bucksch (:BenB) from comment #1)
> Personally, I think the best default would be:
> * send full URI if base domains match
> * send host of target otherwise

Yes, but that might "Break The Internet" (slightly) and thus scare people off of doing this. This part of the Internet is worth breaking, but in order to get this actually out there it's probably better to start by first just restricting the referer. It would still be a fantastic improvement.
Please discuss in dev-privacy instead of here. The bug should be about the implementation of whatever policy is decided on, not the place to discuss what the policy should be.

You can subscribe to dev-privacy here: https://lists.mozilla.org/listinfo/dev-privacy

See previous discussion on dev-privacy here:
https://groups.google.com/forum/#!msg/mozilla.dev.privacy/wmPzPCdzIU8/Vrugn8XquL4J for an earlier attempt at that discussion. That message also includes a link to the project page for the overall project. I expect that Sid Stamm will be sharing his thoughts on the default policy soon.

Comment 4

4 years ago
>  Yes, but that might "Break The Internet" (slightly)

Not from my experience. I'm running without any referers since more than a decade, and aside from less than a handful of sites (launchpad, MDN *cough*), it's working just fine. If we allow inner-domain referers, it should be fine, unless they have a really broken check that verifies external login on another domain. But again, if there's a problem, it's confined to very few instances, from my experience.

Comment 5

4 years ago
(In reply to Ben Bucksch (:BenB) from comment #4)
Comment 4 just describes the specific way in which the Internet is broken ever so slightly for you. ;)

Comment 6

4 years ago
On Brian's request, I posted on dev-privacy, in the very thread he mentioned above.
(Reporter)

Updated

4 years ago
Depends on: 970136
Whiteboard: [necko-would-take]

Comment 7

a year ago
I totally agree that this should be implemented as soon as possible.

I'm using network.http.referer.XOriginPolicy and network.http.referer.trimmingPolicy since they were implemented. The only issue I had so far was on support.amd.com. Driver downloads (which are located on *.ati.com) are only working when you referer matches exactly the download site on support.amd.com.

This would be a major issue for common users on Windows and AMD should really fix this.
Other broken sites may follow once this is enabled.

However, I think it should be possible to change this setting only in private for now.
You need to log in before you can comment on or make changes to this bug.