Security/Referrer
From MozillaWiki
< Security
Existing functionality
- network.http.sendRefererHeader
- controls whether or not to send a referrer regardless of origin
- values:
- 0 = never send the header
- 1 = send the header only when clicking on links and similar elements
- 2 = (default) send on all requests (e.g. images, links, etc.)
- network.http.referer.trimmingPolicy
- controls how much referrer to send regardless of origin
- values:
- 0 = (default) send the full URL
- 1 = send the URL without its query string
- 2 = only send the origin
- network.http.referer.XOriginTrimmingPolicy
- controls how much referrer to send across origins
- values:
- 0 = (default) send the full URL
- 1 = send the URL without its query string
- 2 = only send the origin
- network.http.referer.XOriginPolicy
- controls whether or not to send a referrer across origins
- values:
- 0 = (default) send the referrer in all cases
- 1 = send a referrer only when the base domains are the same
- 2 = send a referrer only on same-origin
- network.http.referer.spoofSource
- true = send the target URL as the referrer
- network.http.referer.defaultPolicy
- set the default referrer policy (which can be overriden by the site)
- values:
- 0 = no-referrer
- 1 = same-origin
- 2 = strict-origin-when-cross-origin
- 3 = (default) no-referrer-when-downgrade
- network.http.referer.defaultPolicy.pbmode
- same as above but only for Private Browsing
- network.http.referer.hideOnionSource (only relevant for Tor?)
- true - strip out the referrer when it's a .onion address
Further work
- Add Origin header to POST requests
- to obsolete Referer as a CSRF defense mechanism
- https://public.etherpad-mozilla.org/p/bug446344
-
Add new XOriginTrimmingPolicy pref- the only missing component to give users the same control as developers (via Referrer Policy)
- https://bugzilla.mozilla.org/show_bug.cgi?id=1307596
- obsolete, no longer matches our direction with HTTPS origins
- https://bugzilla.mozilla.org/show_bug.cgi?id=1308725
- will also fix https://bugzilla.mozilla.org/show_bug.cgi?id=358892
- https://github.com/pyllyukko/user.js/pull/190
- we could specify the default (overridable by site owners)
- https://bugzilla.mozilla.org/show_bug.cgi?id=1304623
- strict-origin-when-cross-origin seems like a good candidate
-
https://github.com/mozilla/privacy-prefs -
https://bugzilla.mozilla.org/show_bug.cgi?id=587523
Prior proposals
- Referrer meta-bug: https://bugzilla.mozilla.org/show_bug.cgi?id=61660
- Referrer Policy: https://www.w3.org/TR/referrer-policy/
- meta-referrer blog post: https://blog.mozilla.org/security/2015/01/21/meta-referrer/
- Brian Smith's WebAppSec proposal: https://briansmith.org/referrer-01
- Mike West's reply: https://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0027.html
- Shortened HTTP Referer project: https://wiki.mozilla.org/Privacy/Features/Shortened_HTTP_Referer_header
- https://groups.google.com/forum/#!msg/mozilla.dev.privacy/wmPzPCdzIU8/Vrugn8XquL4J
- Per-site referer sending: https://bugzilla.mozilla.org/show_bug.cgi?id=966505 (stalled)
- Changing the default referrer: https://bugzilla.mozilla.org/show_bug.cgi?id=970092 (stalled)