Security/Referrer

From MozillaWiki
Jump to: navigation, search

Existing functionality

  • network.http.sendRefererHeader
    • controls whether or not to send a referrer regardless of origin
    • values:
      • 0 = never send the header
      • 1 = send the header only when clicking on links and similar elements
      • 2 = (default) send on all requests (e.g. images, links, etc.)
  • network.http.referer.trimmingPolicy
    • controls how much referrer to send regardless of origin
    • values:
      • 0 = (default) send the full URL
      • 1 = send the URL without its query string
      • 2 = only send the origin
  • network.http.referer.XOriginTrimmingPolicy
    • controls how much referrer to send across origins
    • values:
      • 0 = (default) send the full URL
      • 1 = send the URL without its query string
      • 2 = only send the origin
  • network.http.referer.XOriginPolicy
    • controls whether or not to send a referrer across origins
    • values:
      • 0 = (default) send the referrer in all cases
      • 1 = send a referrer only when the base domains are the same
      • 2 = send a referrer only on same-origin
  • network.http.referer.spoofSource
    • true = send the target URL as the referrer
  • network.http.referer.userControlPolicy
    • set the default referrer policy (which can be overriden by the site)
    • values:
      • 0 = no-referrer
      • 1 = same-origin
      • 2 = strict-origin-when-cross-origin
      • 3 = (default) no-referrer-when-downgrade
  • network.http.sendSecureXSiteReferrer
    • false = don't send referrer when going from one HTTPS origin to another (but HTTP is ok)
  • network.http.enablePerElementReferrer
  • false - prevent sites from setting a referrer policy at the element level
  • network.http.referer.hideOnionSource (only relevant for Tor?)
    • true - strip out the referrer when it's a .onion address

Further work

Prior proposals