Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Given the bugs, are these the correct referrer settings for privacy?
293 views
Skip to first unread message
Karl Winzig
Apr 23, 2016, 3:57:44 AM4/23/16
to mozilla-sup...@lists.mozilla.org
Just *reading* this related bug report, for example, makes me dizzy:
https://bugzilla.mozilla.org/show_bug.cgi?id=822869
Even so, I read everything I could on this, and there are MANY bugs
listed against these settings, so, I only ask if this is the correct
setup for privacy?
Note: * === the default in FF 43
1. "network.http.sendRefererHeader"
Determines when to send the Referer HTTP header.
0: Never send the referring URL
(reputedly breaks some sites, e.g., http://www.imdb.com/)
1: Send the referring URL only when links are clicked.
*2: Send the referring URL when links and images are clicked
(generally set for Firefox 28 and later where 3 new options better
control referrers).
Privacy recommendation: 2 (default) Use in conjunction with those below!
(allows sites to work which won't work if referrers are blocked)
2. "network.http.sendSecureXSiteReferrer"
Determines how to handle Referer HTTP header when navigating between
secure (HTTPS) hosts.
*true: Send referring URL normally (default for compatibility reasons,
see bug 141641)
false: Send no referring URL (i.e., disable referer from an SSL Website)
Privacy recommendation: false
The next three were introduced in Firefox 28 and they are processed by
Firefox in this order:
3. "network.http.referer.spoofSource"
*false: Send the referrer
true: Spoof the referer by using the target URI as the referer
(instead of sending the real referrer)
Privacy recommendation: true
(allows sites to work which won't work when the referrer is blocked)
4. "network.http.referer.XOriginPolicy"
*0: Always send the referrer
1: Only send the referrer if the referrer & destination base domains match
2: Only send the referrer if if referrer & destination hosts match
(makes spoofSource & trimmingPolicy useless if going from a.example.com
to b.example.com since no referrer would be sent because the hosts
"a" and "b" don't match.
Privacy recommendation: 1
5. "network.http.referer.trimmingPolicy"
*0: Send the full URI
1: Send the scheme+host+port+path
2: Send the scheme+host+port
Privacy recommendation: 2
Given the many bugs where this changed (mainly at Firefox 28 and
Firefox 36 beta), would you concur with the settings I've chosen
above as recommended for users who care about their privacy?
PS: I'm aware of add-ons but I prefer as few addons as possible.
Header Control Revived:
https://addons.mozilla.org/de/firefox/addon/headercontrolrevived/?src=search
Referer Control:
https://addons.mozilla.org/firefox/addon/referrer-control/
Smart Referer:
https://addons.mozilla.org/firefox/addon/smart-referer/
https://bugzilla.mozilla.org/show_bug.cgi?id=822869
Even so, I read everything I could on this, and there are MANY bugs
listed against these settings, so, I only ask if this is the correct
setup for privacy?
Note: * === the default in FF 43
1. "network.http.sendRefererHeader"
Determines when to send the Referer HTTP header.
0: Never send the referring URL
(reputedly breaks some sites, e.g., http://www.imdb.com/)
1: Send the referring URL only when links are clicked.
*2: Send the referring URL when links and images are clicked
(generally set for Firefox 28 and later where 3 new options better
control referrers).
Privacy recommendation: 2 (default) Use in conjunction with those below!
(allows sites to work which won't work if referrers are blocked)
2. "network.http.sendSecureXSiteReferrer"
Determines how to handle Referer HTTP header when navigating between
secure (HTTPS) hosts.
*true: Send referring URL normally (default for compatibility reasons,
see bug 141641)
false: Send no referring URL (i.e., disable referer from an SSL Website)
Privacy recommendation: false
The next three were introduced in Firefox 28 and they are processed by
Firefox in this order:
3. "network.http.referer.spoofSource"
*false: Send the referrer
true: Spoof the referer by using the target URI as the referer
(instead of sending the real referrer)
Privacy recommendation: true
(allows sites to work which won't work when the referrer is blocked)
4. "network.http.referer.XOriginPolicy"
*0: Always send the referrer
1: Only send the referrer if the referrer & destination base domains match
2: Only send the referrer if if referrer & destination hosts match
(makes spoofSource & trimmingPolicy useless if going from a.example.com
to b.example.com since no referrer would be sent because the hosts
"a" and "b" don't match.
Privacy recommendation: 1
5. "network.http.referer.trimmingPolicy"
*0: Send the full URI
1: Send the scheme+host+port+path
2: Send the scheme+host+port
Privacy recommendation: 2
Given the many bugs where this changed (mainly at Firefox 28 and
Firefox 36 beta), would you concur with the settings I've chosen
above as recommended for users who care about their privacy?
PS: I'm aware of add-ons but I prefer as few addons as possible.
Header Control Revived:
https://addons.mozilla.org/de/firefox/addon/headercontrolrevived/?src=search
Referer Control:
https://addons.mozilla.org/firefox/addon/referrer-control/
Smart Referer:
https://addons.mozilla.org/firefox/addon/smart-referer/
Karl Winzig
Apr 23, 2016, 4:10:24 PM4/23/16
to mozilla-sup...@lists.mozilla.org
Karl Winzig <kwi...@notgmail.com> wrote on Sat, 23 Apr 2016 02:40:16
-0500
> I only ask if this is the correct setup for privacy?
Giving back to the ng, I read every article that mentioned these
settings that is possible to find on Google, so, I believe my
combined writeup below is the *best* (bar none) on the Internet
for accuracy and privacy advice (related to these 5 preferences).
Let me know if anything below is wrong, but I believe it is
the best that anyone can possibly find on the entire net.
**************************************************************************
How to properly set referrer preferenes in user.js for Firefox 43.0
**************************************************************************
==========================================================================
Purpose: Set user.js preferences to protect referrer privacy.
April 23, 2016, by Karl Winzig
Reviewed: April 23, 2016, by http://tinyurl.com/mozilla.firefox.support
& simultaneously reviewed by http://tinyurl.com/alt.os.linux
==========================================================================
options better control referrers).
----------------------------------------
Privacy recommendation: 2 (default)
----------------------------------------
==========================================================================
Privacy recommendation: false
----------------------------------------
user_pref("network.http.sendSecureXSiteReferrer", false);//false=do not send the Referer header when going from one https site to another https site
==========================================================================
The next three were introduced in Firefox 28.
Firefox apparently interprets these in the 1-to-5 as shown here.
==========================================================================
Privacy recommendation: true
----------------------------------------
==========================================================================
Privacy recommendation: 1
----------------------------------------
user_pref("network.http.referer.XOriginPolicy", 1);//1=send if base domains match
==========================================================================
Privacy recommendation: 2
----------------------------------------
user_pref("network.http.referer.trimmingPolicy", 2);//2=scheme+host+port
--------------------------------------------------------------------------
**************************************************************************
-0500
> I only ask if this is the correct setup for privacy?
settings that is possible to find on Google, so, I believe my
combined writeup below is the *best* (bar none) on the Internet
for accuracy and privacy advice (related to these 5 preferences).
Let me know if anything below is wrong, but I believe it is
the best that anyone can possibly find on the entire net.
**************************************************************************
How to properly set referrer preferenes in user.js for Firefox 43.0
**************************************************************************
==========================================================================
Purpose: Set user.js preferences to protect referrer privacy.
April 23, 2016, by Karl Winzig
Reviewed: April 23, 2016, by http://tinyurl.com/mozilla.firefox.support
& simultaneously reviewed by http://tinyurl.com/alt.os.linux
==========================================================================
1. "network.http.sendRefererHeader"
Determines when to send the Referer HTTP header.
0: Never send the referring URL
(reputedly breaks some sites, e.g., http://www.imdb.com/)
1: Send the referring URL only when links are clicked.
*2: Send the referring URL when links and images are clicked
(generally set for Firefox 28 and later where three new
Determines when to send the Referer HTTP header.
0: Never send the referring URL
(reputedly breaks some sites, e.g., http://www.imdb.com/)
1: Send the referring URL only when links are clicked.
*2: Send the referring URL when links and images are clicked
options better control referrers).
----------------------------------------
Privacy recommendation: 2 (default)
----------------------------------------
Use in conjunction with those below!
(allows sites to work which won't work if referrers are blocked)
user_pref("network.http.sendRefererHeader", 2);//Send (but spoof it which requires later settings)
(allows sites to work which won't work if referrers are blocked)
==========================================================================
2. "network.http.sendSecureXSiteReferrer"
Determines how to handle Referer HTTP header when navigating between
secure (HTTPS) hosts.
*true: Send referring URL normally (default for compatibility reasons,
see bug 141641)
false: Send no referring URL
(i.e., disable referer from an SSL Website)
----------------------------------------
Determines how to handle Referer HTTP header when navigating between
secure (HTTPS) hosts.
*true: Send referring URL normally (default for compatibility reasons,
see bug 141641)
false: Send no referring URL
(i.e., disable referer from an SSL Website)
Privacy recommendation: false
----------------------------------------
user_pref("network.http.sendSecureXSiteReferrer", false);//false=do not send the Referer header when going from one https site to another https site
==========================================================================
The next three were introduced in Firefox 28.
Firefox apparently interprets these in the 1-to-5 as shown here.
==========================================================================
3. "network.http.referer.spoofSource"
*false: Send the referrer
true: Spoof the referer by using the target URI as the referer
(instead of sending the real referrer)
----------------------------------------
*false: Send the referrer
true: Spoof the referer by using the target URI as the referer
(instead of sending the real referrer)
Privacy recommendation: true
----------------------------------------
(allows sites to work which won't work when the referrer is blocked)
user_pref("network.http.referer.spoofSource", true);//true=spoof referer (use target URI as referer)
==========================================================================
4. "network.http.referer.XOriginPolicy"
*0: Always send the referrer
1: Only send the referrer if the referrer & destination base
domains match
2: Only send the referrer if if referrer & destination hosts match
(makes spoofSource & trimmingPolicy useless if going from
a.example.com to b.example.com since no referrer would be
sent because the hosts "a" and "b" don't match.
----------------------------------------
*0: Always send the referrer
1: Only send the referrer if the referrer & destination base
domains match
2: Only send the referrer if if referrer & destination hosts match
(makes spoofSource & trimmingPolicy useless if going from
a.example.com to b.example.com since no referrer would be
sent because the hosts "a" and "b" don't match.
Privacy recommendation: 1
----------------------------------------
user_pref("network.http.referer.XOriginPolicy", 1);//1=send if base domains match
==========================================================================
5. "network.http.referer.trimmingPolicy"
*0: Send the full URI
1: Send the scheme+host+port+path
2: Send the scheme+host+port
----------------------------------------
*0: Send the full URI
1: Send the scheme+host+port+path
2: Send the scheme+host+port
Privacy recommendation: 2
----------------------------------------
user_pref("network.http.referer.trimmingPolicy", 2);//2=scheme+host+port
--------------------------------------------------------------------------
Note: * === the default in FF 43
--------------------------------------------------------------------------
**************************************************************************
Karl Winzig
Apr 23, 2016, 4:52:56 PM4/23/16
to mozilla-sup...@lists.mozilla.org
Karl Winzig <kwi...@notgmail.com> wrote on Sat, 23 Apr 2016 15:09:49
-0500
Here are the open questions, the answers to which will help
thousands of people if you can help us obtain the answers.
1. What web site can we use to test #1 in action? (imdb?)
"network.http.sendRefererHeader"
2. What are the implications of setting #2 to false?
"network.http.sendSecureXSiteReferrer"
3. What does the target URI look like in #3 for the site in #1 & #2?
"network.http.referer.spoofSource"
4. What is an example of a base domain vs. a destination host in #4?
"network.http.referer.XOriginPolicy"
5. How does the "full URI" differ from scheme+host+port+path in #5?
"network.http.referer.trimmingPolicy"
At the moment, the *only* two sites, both cumbersome, that I know
of for *testing* the referrer URIs, are the following:
a. http://www.ghacks.net/2015/01/22/improve-online-privacy-by-controlling-referrer-information/
b. https://www.grc.com (very cumbersome "shieldsup!" testing process)
If you know of *better* testing sites for the Firefox referrer
URI privacy leaks, please let the ng know so that everyone benefits
from your knowledge.
-0500
Here are the open questions, the answers to which will help
thousands of people if you can help us obtain the answers.
1. What web site can we use to test #1 in action? (imdb?)
"network.http.sendRefererHeader"
2. What are the implications of setting #2 to false?
"network.http.sendSecureXSiteReferrer"
3. What does the target URI look like in #3 for the site in #1 & #2?
"network.http.referer.spoofSource"
4. What is an example of a base domain vs. a destination host in #4?
"network.http.referer.XOriginPolicy"
5. How does the "full URI" differ from scheme+host+port+path in #5?
"network.http.referer.trimmingPolicy"
At the moment, the *only* two sites, both cumbersome, that I know
of for *testing* the referrer URIs, are the following:
a. http://www.ghacks.net/2015/01/22/improve-online-privacy-by-controlling-referrer-information/
b. https://www.grc.com (very cumbersome "shieldsup!" testing process)
If you know of *better* testing sites for the Firefox referrer
URI privacy leaks, please let the ng know so that everyone benefits
from your knowledge.
EE
Apr 23, 2016, 5:15:53 PM4/23/16
to mozilla-sup...@lists.mozilla.org
problems, for instance, with a site that checked whether you went
through the log-in page before going to the information or
message-posting page?
Karl Winzig
Apr 23, 2016, 6:37:38 PM4/23/16
to mozilla-sup...@lists.mozilla.org
EE <nu...@bees.wax> wrote on Sat, 23 Apr 2016 14:15:17 -0700
> Those settings look good, except would not trimming to the extreme cause
> problems, for instance, with a site that checked whether you went
> through the log-in page before going to the information or
> message-posting page?
Thank you for reviewing the privacy proposal, as my goal is always
the same, which is privacy for everyone who uses Firefox, WITHOUT
the need for addons (some of which themselves destroy privacy by
their very existence).
"network.http.referer.trimmingPolicy"
Controls the amount of information in the referrer.
a good test site to test what we'd see in the three situations above.
And, worse, I don't even know what a "full URI" is, nor what a
"scheme" is.
Does anyone here have a good test site where we can check what
the difference is between (0) "full URI" versus whatever it means
by (1) scheme+host+port+path, or (2) scheme+host+port?
Specifically, what's a "scheme" anyway?
> Those settings look good, except would not trimming to the extreme cause
> problems, for instance, with a site that checked whether you went
> through the log-in page before going to the information or
> message-posting page?
the same, which is privacy for everyone who uses Firefox, WITHOUT
the need for addons (some of which themselves destroy privacy by
their very existence).
"network.http.referer.trimmingPolicy"
Controls the amount of information in the referrer.
*0: Send the full URI
1: Send the scheme+host+port+path
2: Send the scheme+host+port
I can't even start to answer your question because I don't even have
1: Send the scheme+host+port+path
2: Send the scheme+host+port
a good test site to test what we'd see in the three situations above.
And, worse, I don't even know what a "full URI" is, nor what a
"scheme" is.
Does anyone here have a good test site where we can check what
the difference is between (0) "full URI" versus whatever it means
by (1) scheme+host+port+path, or (2) scheme+host+port?
Specifically, what's a "scheme" anyway?
EE
Apr 25, 2016, 3:17:25 PM4/25/16
to mozilla-sup...@lists.mozilla.org
with protocol, hostname, subdirectories, page name, internet port
number, and any other incidental information normally included. Think
of the extra characters that you see with forum pages, or locations in
Google Maps. The setup with <1> would leave out the extra data but
still have protocol, host, subdirectories, page, port. The setup with
<2> would be just the minimum: protocol, host, port number.
I tried the one exception that I had in RefControl (that I had before I
switched to the new settings) and it worked, but that is just one site.
0 new messages