Mozilla Firefox Tweaks Referrer Policy To Shore Up User Privacy

Mozilla Firefox will soon include a revised Referrer Policy to tighten up queries and better protect user information. From a report: Firefox 87, due to ship on March 23, will cut back on path and query string information from referrer headers "to prevent sites from accidentally leaking sensitive user data." In a blog post on Monday, developer Dimi Lee and security infrastructure engineering manager Christoph Kerschbaumer said the latest browser version will include a "stricter, more privacy-preserving default Referrer Policy." Browsers send HTTP Referrer headers to websites to indicate which location has 'referred' a user to a website server. Full URLs of referring documents are often sent in the HTTP Referrer header with other subresource requests, and while this may contain innocent information used for purposes including analytics, private user data may also be included. Referrer policies aim to protect this data, but if no policy is set by a website, this often defaults to "no-referrer-when-downgrade," an element that Firefox says does trim down the referrer when navigating to a less secure resource, but still "sends the full URL including path and query information of the originating document as the referrer."

Why did it become harder to turn off

[Actually, I do RTFA]

Why have Firefox and the various Chromium variants made it harder to simply turn off features I don't want (appropriate example - referrers isn't something I would leave on, but has become harder and harder to find the way to turn off.)

Re:

[evanh]

Where are these existing controls in Firefox? I've not seem them.

Re:

[Actually, I do RTFA]

Are you asking where it was easy to set before or where to set it how? It used to be in the privacy tab, but that was an unknown number of iterations ago. Now it's under "about:config" then "network.http.sendRefererHeader" and set to 0

Re:Breaking changes

[Actually, I do RTFA]

I'm not sure why two websites should determine whether I share referrer information. My standards and policy may be different from theirs - and it's my data that's leaking, not the referring site's.

Re:

[WaffleMonster]

I'm not sure why two websites should determine whether I share referrer information.

I don't even support user controlled policy settings because I personally believe such a setting would ultimately prove as useful and therefore harmfully misleading as "Do Not Track".

The reason I believe this is YOU made a decision to visit the site and this is an obvious consequence of YOUR choice. There is absolutely nothing from a technical perspective preventing a site from communicating the fact you visited it with any site it links to or anyone else for that matter regardless of referral policy. You

Re:

[Actually, I do RTFA]

don't even support user controlled policy settings because I personally believe such a setting would ultimately prove as useful and therefore harmfully misleading as "Do Not Track".

Except I'm talking about what my computer does and DNT is attempting to control what someone elses computer does.

here is absolutely nothing from a technical perspective preventing a site from communicating the fact you visited it with any site it links to or anyone else for that matter regardless of referral policy.

You don't se

Re:

[WaffleMonster]

Except I'm talking about what my computer does and DNT is attempting to control what someone elses computer does.

This is a distinction without a difference.

Whether a hyperlink is mangled to include tracking information or the data is transmitted out of band or facilitated by third parties any site that wants to collude with any other site to communicate referrals is still going to be able to do so regardless of this setting.

Likewise regardless of the DNT setting any site wishing to track is still going to be able to track.

The effective impact is exactly the same.

I don't support a lever to disable referrals NOT because

Re:

[Actually, I do RTFA]

I have no clue what you are talking about. HTTP referrer information is sent from my computer and I have 100% control over it. Servers can request I not send that data, but that's still up to me. (See the inverse of DNT.)

You talked about other ways you can be tracked. That's true. But we're not talking about that.

Re:

[WaffleMonster]

I have no clue what you are talking about.
HTTP referrer information is sent from my computer and I have 100% control over it.

You have no control whatsoever over sites passing referral data to other sites.
Nothing stops site owners from transmitting data to a colluding site or third party within the hyperlink or by other means.

You talked about other ways you can be tracked. That's true. But we're not talking about that.

I'm talking about it because it is relevant to the issue at hand. Pointless to evaluate the merits of items in a vacuum without an understanding of the larger context in which they are actually used. The headers don't enable any capability site owners don't inherently already have. They don't provide any a

Link shimming, rewriting, auditing in browsers

[Anonymous Coward]

Where are the privacy-forward browsers?

It's surprising that browsers still default to sending full referrer URLs but that reflects the emphasis on adding functionality for content producers or trackers rather than adding features only in a way that can preserve or further user privacy.

Aside from referrer tracking, sites have long used link shimming [eff.org] to hide what you're actually clicking on.

And browsers like Chrome have added a new hyperlink ping attribute [w3.org] so that JavaScript link rewriting isn't even necessar [eff.org]

How to disable link auditing

[Anonymous Coward]

Link auditing is controlled by Firefox about:config preference browser. send_pings

According to Malwarebytes "As of presstime, Chrome, Edge, Opera, and Safari already allow link auditing by default and offer no option to disable it." [malwarebytes.com]".

Comments on "Major Browsers to Prevent Disabling of Click Tracking Privacy Risk" [bleepingcomputer.com] at BleepingComputer discuss the feature's background.

Ping Blocker [bleepingcomputer.com] and uBlock Origin extensions may help on other browsers.

unsuitable for beermoney

[Espectr0]

this might mean that firefox can't be used anymore for beermoney (online money making) since offers rely on referrer tracking and third party cookies for credit. i hope i can disable this with a preference otherwise i will have to keep an old version or switch

Referer

[Robert Goatse]

Millennials can’t even get the spelling right.

Re:

[Athanasius]

Well, to be fair, the protocol spelling is the wrong one. But, yeah, when talking about the header people should know about that and drop the double r to a single.

Re:

[WallyL]

Oh, thank goodness. I wondered why I kept spelling referrer with a double-R.

I can already see this breaking some things

[Kyogreex]

Not that it isn’t their own fault, but some sites use referrers headers for legitimate reasons, such as an additional layer of protection against hotlinking. It’s not pretty, and it already causes problem in some browsers (such as Tor).

What will be interesting to see IMO is if any (or many) sites simply don’t care if it isn’t Chrome or Safari.

Re:

[Causemos]

If you remove all the tracking data from the URL. Usually everything from the "?" and beyond can be removed and the URL will still work. Though many sites run URL clicks through a redirector so it's more difficult to get the real URL from those.

RIP Web 1.0

[CrappySnackPlane]

And with this, we witness another staggering blow dealt against that most critical of Web 1.0 hallmarks: The update, or occasionally even full-time front-page feature, where the webmaster posts all the insane search terms that led people to the site.

Came here on a search for "innocent 'developer' leaking on request" btw