I suggest we change the default referer behavior to minimize cross-site information leakage. I believe a reasonable setting which balances usability and privacy would be: send full URI if base domains match trim to host otherwise
> I believe a reasonable setting which balances usability and privacy would be: > send full URI if base domains match > trim to host otherwise That's still a privacy leak - the target site gets to know which site I was at. Personally, I think the best default would be: * send full URI if base domains match * send host of target otherwise
(In reply to Ben Bucksch (:BenB) from comment #1) > Personally, I think the best default would be: > * send full URI if base domains match > * send host of target otherwise Yes, but that might "Break The Internet" (slightly) and thus scare people off of doing this. This part of the Internet is worth breaking, but in order to get this actually out there it's probably better to start by first just restricting the referer. It would still be a fantastic improvement.
Please discuss in dev-privacy instead of here. The bug should be about the implementation of whatever policy is decided on, not the place to discuss what the policy should be. You can subscribe to dev-privacy here: https://lists.mozilla.org/listinfo/dev-privacy See previous discussion on dev-privacy here: https://groups.google.com/forum/#!msg/mozilla.dev.privacy/wmPzPCdzIU8/Vrugn8XquL4J for an earlier attempt at that discussion. That message also includes a link to the project page for the overall project. I expect that Sid Stamm will be sharing his thoughts on the default policy soon.
> Yes, but that might "Break The Internet" (slightly) Not from my experience. I'm running without any referers since more than a decade, and aside from less than a handful of sites (launchpad, MDN *cough*), it's working just fine. If we allow inner-domain referers, it should be fine, unless they have a really broken check that verifies external login on another domain. But again, if there's a problem, it's confined to very few instances, from my experience.
(In reply to Ben Bucksch (:BenB) from comment #4) Comment 4 just describes the specific way in which the Internet is broken ever so slightly for you. ;)
On Brian's request, I posted on dev-privacy, in the very thread he mentioned above.
I totally agree that this should be implemented as soon as possible. I'm using network.http.referer.XOriginPolicy and network.http.referer.trimmingPolicy since they were implemented. The only issue I had so far was on support.amd.com. Driver downloads (which are located on *.ati.com) are only working when you referer matches exactly the download site on support.amd.com. This would be a major issue for common users on Windows and AMD should really fix this. Other broken sites may follow once this is enabled. However, I think it should be possible to change this setting only in private for now.