intent-to-prototype: Disallow relaxing referrer policy for cross-site requests

164 views
Skip to first unread message

Tim Huang

unread,
Aug 9, 2021, 9:02:10 AM8/9/21
to dev-pl...@mozilla.org

Summary:


The HTTP header referer[1] and document.referrer API[2] allows the website to identify where the navigation came from. It contains the URL of the original page that linked to the current page. The referrer information can be useful for various purposes, such as website activity analytics or logging. However, the referrer can be abused for malicious uses, for example, Web tracking or leaking sensitive information.


To mitigate the privacy concern, the referrer policy[3] was proposed. It allows websites to control how much referrer information would be sent with requests. The websites can use it to stop leaking information for sensitive pages or protect users from referrer-based web tracking. But, the information could still be leaked with less strict referrer policies.


To better protect our uses, we want to limit the usage of less strict referrer policies. Firefox will ignore ‘unsafe-url’, ‘no-referrer-when-downgrade’ and ‘origin-when-cross-origin’ for cross-site requests. These policies are weaker than the default policy of Firefox and might have privacy implications with cross-site requests. The prototype was implemented in Firefox 92 and put behind a pref. We will enable and test this protection in Nightly and Early Beta channel.


Bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=1720291


Standard:

https://github.com/privacycg/proposals/issues/13


Platform coverage:

All


Preference:

“network.http.referer.disallowCrossSiteRelaxingDefault”


DevTools bug:

none


Other browsers:

Safari has implemented this behavior.

Brave has an even stricter behavior that it restricts less strict policies for all requests.

Chrome and Edge don’t have this protection.


web-platform-test

None


[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

[2] https://developer.mozilla.org/en-US/docs/Web/API/Document/referrer

[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy





--
Tim Huang
Mozilla


Reply all
Reply to author
Forward
0 new messages