Security/Referrer: Difference between revisions

Existing functionality

• network.http.sendRefererHeader
  • controls whether or not to send a referrer regardless of origin
  • values:
    • 0 = never send the header
    • 1 = send the header only when clicking on links and similar elements
    • 2 = (default) send on all requests (e.g. images, links, etc.)
• network.http.referer.trimmingPolicy
  • controls how much referrer to send regardless of origin
  • values:
    • 0 = (default) send the full URL
    • 1 = send the URL without its query string
    • 2 = only send the origin
• network.http.referer.XOriginTrimmingPolicy
  • controls how much referrer to send across origins
  • values:
    • 0 = (default) send the full URL
    • 1 = send the URL without its query string
    • 2 = only send the origin
• network.http.referer.XOriginPolicy
  • controls whether or not to send a referrer across origins
  • values:
    • 0 = (default) send the referrer in all cases
    • 1 = send a referrer only when the base domains are the same
    • 2 = send a referrer only on same-origin
• network.http.referer.spoofSource
  • true = send the target URL as the referrer
• network.http.referer.defaultPolicy
  • set the default referrer policy (which can be overriden by the site)
  • values:
    • 0 = no-referrer
    • 1 = same-origin
    • 2 = strict-origin-when-cross-origin
    • 3 = (default) no-referrer-when-downgrade
• network.http.referer.defaultPolicy.pbmode
  • same as above but only for Private Browsing
• network.http.sendSecureXSiteReferrer
  • false = don't send referrer when going from one HTTPS origin to another (but HTTP is ok)
• network.http.enablePerElementReferrer
• false - prevent sites from setting a referrer policy at the element level
• network.http.referer.hideOnionSource (only relevant for Tor?)
  • true - strip out the referrer when it's a .onion address

Further work

• Add Origin header to POST requests
  • to obsolete Referer as a CSRF defense mechanism
  • https://public.etherpad-mozilla.org/p/bug446344
• Add new XOriginTrimmingPolicy pref
  • the only missing component to give users the same control as developers (via Referrer Policy)
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1307596
• Remove network.http.sendSecureXSiteReferrer
  • obsolete, no longer matches our direction with HTTPS origins
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1308725
  • will also fix https://bugzilla.mozilla.org/show_bug.cgi?id=358892
  • https://github.com/pyllyukko/user.js/pull/190
• Remove network.http.enablePerElementReferrer
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1354331
• Make default policy configurable
  • we could specify the default (overridable by site owners)
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1304623
• Test different default for Private Browsing (Shield study)
  • strict-origin-when-cross-origin seems like a good candidate
  • https://github.com/mozilla/privacy-prefs
  • https://bugzilla.mozilla.org/show_bug.cgi?id=587523

Prior proposals

• Referrer meta-bug: https://bugzilla.mozilla.org/show_bug.cgi?id=61660
• Referrer Policy: https://www.w3.org/TR/referrer-policy/
  • meta-referrer blog post: https://blog.mozilla.org/security/2015/01/21/meta-referrer/
• Brian Smith's WebAppSec proposal: https://briansmith.org/referrer-01
  • Mike West's reply: https://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0027.html
• Shortened HTTP Referer project: https://wiki.mozilla.org/Privacy/Features/Shortened_HTTP_Referer_header
  • https://groups.google.com/forum/#!msg/mozilla.dev.privacy/wmPzPCdzIU8/Vrugn8XquL4J
  • Per-site referer sending: https://bugzilla.mozilla.org/show_bug.cgi?id=966505 (stalled)
  • Changing the default referrer: https://bugzilla.mozilla.org/show_bug.cgi?id=970092 (stalled)