Improve online privacy by controlling referrer information

Martin Brinkmann
Jan 22, 2015
Security
|
36

Whenever you click on a link on a web page to open another one in the same browser, referrer information are sent to the linked site.

You can verify this for yourself by visiting our IP lookup script which reveals your current IP address and other information including the referer (it is a misspelling that is used in this way in the HTTP specification).

The referrer field was designed to provide the linked web property with information about where a user originated from.

Sites use referrer information for a variety of purposes. Analytics comes to mind but there are other purposes such as hotlinking protection or verification (if you don't have the right referrer, you are not allowed access).

Some services add sensitive information to the referrer field. It became known recently that the Healthcare.gov includes personal data in the referrer. According to the news article, the site's referrer may include information about a person's age, income, zip code, smoking habit or pregnancy.

Mozilla announced yesterday that it added support for the so-called meta referrer tag to Firefox Beta which provides developers with options to control referrer information on their sites.

Reliance on developers to get it right (who did not in first place) is probably not the best option from a user perspective.

Internet users can control referrer information on their end, and this guide looks at how that is done in popular browsers such as Mozilla Firefox or Google Chrome.

Attention: Modifying the referrer may render some sites unusable. Some extensions below support whitelisting which you can use in this case to override the default behavior.

Mozilla Firefox

firefox referer

Firefox users have the widest range of options when it comes to controlling referer information in the browser.

  • HeaderControlRevived provides you with options to control the referer, user-agent and accept-language on a per-site basis.
  • Referer Control offers full control over referrer information in Firefox. It ships with basic rules that you can switch between (the default is to strip the referrer when third-party requests are made), and options to override the default behavior for select sites.
  • Smart Referer is a Firefox add-on that only sends referer information on the same domain. It supports whitelists and different modes that give you more control over the process but it should work right out of the box for most users.

Besides through extensions, Firefox users can configure referrer information right on the browser's about:config page as well.

network.http.sendRefererHeader

  • 0 - never send the referring URL.
  • 1 - send only when links are clicked.
  • 2 - send for links and images (default).

network.http.referer.XOriginPolicy

  • 0 - always send referrer (default).
  • 1 - only send if base domains match.
  • 2 - only send if hosts match.

network.http.referer.spoofSource

  • false - send the referrer (default).
  • true - spoof the referrer and use the target URI instead.

network.http.referer.trimmingPolicy

  • 0 - send full URI (default).
  • 1 - scheme, host, port and path.
  • 2 - scheme, host and port.

Google Chrome

Google Chrome users can install browser extensions (which may also work in Opera and other Chromium-based browsers) to control referrer behavior.

  • Referer Control for Google Chrome strips referrer information when third-party requests are made by default. It features customization options for individual sites and options to set a custom global referer or block referers outright.
  • Request Header Hook allows you to set cookie, referer and user-agent policies for individual sites.

Online Services

nullrefer

You have several options to control referrer information without installing extensions or manipulating browser settings.

One of the easier options for links is to copy a link and paste it in a private browsing window or another browser to make a direct request.

Services like NullRefer can be used to replace the referrer so that it is not sent when you load sites on the Internet.

Now You: How do you handle referer information on your end?

Summary
Improve online privacy by controlling referrer information
Article Name
Improve online privacy by controlling referrer information
Description
Internet users can control referrer information on their end, and this guide looks at how that is done in popular browsers such as Firefox or Chrome.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Franck said on May 25, 2017 at 1:29 pm
    Reply

    Highly valuable information! Thank you so much!

  2. Concerned Netizen said on January 3, 2017 at 7:15 pm
    Reply

    Also about disabling Hardware Acceleration, is it really worth it? https://www.reddit.com/r/firefox/comments/4rgxj4/what_kinds_of_potential_privacysecurity_risks/….does it affect the eff and JonDonym test?
    Thanks

    1. Martin Brinkmann said on January 3, 2017 at 7:19 pm
      Reply

      I would not worry about this too much, there are bigger things to take care of first like making sure WebGL does not leak your IP address.

      1. Concerned Netizen said on January 3, 2017 at 7:27 pm
        Reply

        Thanks!!!

  3. Concerned Netizen said on January 3, 2017 at 7:01 pm
    Reply

    Hello Martin,
    I am looking forward to use your privacy&security tweaked user.js….
    name: ghacks user.js
    date: 02 July 2016
    version: 0.10
    u said
    “1600: HEADERS / REFERRERS
    Except for 1601, these can all be best handled by an extension to block/spoof
    all and then white-list if needed, otherwise too much of the internet breaks”
    Am i safe if I have turned on spoof referrer in U-matrix?
    I went to http://ghacks.net/ip/ and the refferer section was blank aka null aka void :3
    Best Regards

    1. Martin Brinkmann said on January 3, 2017 at 7:06 pm
      Reply

      The referrer is blank if you open the page directly (as you are not referred to it by any other page). Test again with a click on the link in your comment

      1. Concerned Netizen said on January 3, 2017 at 7:26 pm
        Reply

        I just did ….its still blank….
        more from help info umatrix…
        “If this setting is checked, uMatrix will spoof the HTTP referrer information if the domain name of the HTTP referrer is third-party to the domain name of net request”
        Thanks for the swift reply….

  4. Copy-Paste said on February 21, 2015 at 6:14 pm
    Reply
  5. Richard Allen said on January 28, 2015 at 8:48 pm
    Reply

    Thought i would jump back in here and point out something I noticed yesterday. When trying to log into my TP-Link router it was very unhappy about my having “network.http.referer.XOriginPolicy” set to 1. I had to reset the entry (only one that was changed) back to default to be able to log into my router.

  6. PJ said on January 22, 2015 at 8:00 pm
    Reply

    Coincidentally, a few days ago I was wondering about the below Firefox about:config preference name, which appears to be an accidental “misspelling” of a historical misspelling:-
    • network.http.sendSecureXSiteReferrer = false (default: true).

    In contrast, the related prefs are all spelt “referer”:-
    • network.http.sendRefererHeader = 0 (default: 2) => note: 0 or 1 tends to break some websites
    • network.http.referer.trimmingPolicy = 2 (default: 0)
    • network.http.referer.spoofSource = true (default: false)
    • network.http.referer.XOriginPolicy = 1 (default: 0)

    Why doesn’t Firefox go ahead to consistently misspell everything in about:config, so as to conform to the historical misspelling ? At least it makes searching about:config easier, w/o having to worry about which (mis)spelling to use.

    Meanwhile, in the page tag syntax <meta name="referrer” content=”origin”>, it’s back to “referrer”. Hmm, would Firefox recognize the page tag if it were (mis)spelt “referer” instead ? Are these 2 terms technically interchangeable (ie. accepted as synonyms of each other) where browser behaviour is concerned ?

    1. Fred said on January 24, 2015 at 11:00 am
      Reply

      @PJ: D’uh, I said linguistically. Referrer is a legitimate word

      1. Tom Hawack said on January 24, 2015 at 2:53 pm
        Reply

        @PJ, “universal simplicity” is not in my thoughts an understatement to advantage one protocol rather than another as such but a quest for a “natural writing” (without the extent of phonetic-driven spelling), and be it American, well, is logical I guess. May be mentioned as well vowels which add nothing to the meaning and seem tied to roots which either are co-substantial of a culture be it popular either of academic elites, e.g. color (US) verses colour (UK), that is if color is still written colour in UK as it was in the past (colour here is mentioned by inline dictionary as misspelled…I know: depends of the dictionary, this one is Firefox’s built-in for the US version…).

        Also a thought for bilinguals when a word takes double letters in one language and not in another, e.g. dictionary in English and dictionnaire in French… this drove, drives me often in a mixed-up state of mind :)

        Anyway languages arise as sometimes a such deep modification of those they are built upon (from) that they emancipate to deliver their full identity, I guess. The idea as I see it is do we (each one of us) or not engage, lean towards, accept or not a pragmatic approach of languages, and if yes to what extent? In school I was taught that some rules have a meaning for understanding the phrase whilst others were legitimate only regarding respect to culture, etymology, roots. As I am not myself an academic I refer my reasoning to the former argument when lesser ot not at all to the latter. So, a choice for everyone of us now and perhaps less in the perspective of time when one day or another academics themselves, unless they be scribes, will have to bend!

        Thanks for your links, interesting as this topic and our dialogs are. I appreciate them all.

      2. PJ said on January 24, 2015 at 2:14 pm
        Reply

        The “universal simplicity” of avoiding double letters for English words seems more like an American protocol. Don’t forget that there also British, Canadian, Australian, NZ, Hong Kong, Singapore, etc. English users who follow the double-letter convention. Eg. Firefox en-US suggests “derogatory”, but that looks off to me who is schooled in British English (“derrogatory”).

        The internet “referer” appears a total of 7 times in the RFC-1945 standards document. There is no mention of “referrer” at all, but RFC-1945’s multinational authors subsequently had a very brief discussion about it, which might be of interest:-

        lists.w3.org/Archives/Public/ietf-http-wg-old/1995JanApr/0105.html

        Message: Referer: (sic)
        Date: 09 Mar 1995

        John Franks :
        Has anyone else noticed that the HTTP header "Referer:" is spelled wrong?

        M. Hedlund :
        Correct in Britain, though, no?

        Mike Cowlishaw :
        Nope, we Brits spell it with four R's in total (and that's also the only spelling shown in the OED, with quotes from the 1600's and 1800's).

        Roy T. Fielding :
        That's okay, neither one (referer or referrer) is understood by [UNIX] "spell" anyway. I say we should just blame it on France. ;-)

      3. Tom Hawack said on January 24, 2015 at 12:33 pm
        Reply

        Well if we have to find a common denominator it would be that of a universal simplicity as opposed to local/regional/historical roots. Mainly, no double letters for instance, and referer rather than referrer, but not Holywood rather than Hollywood because holy itself has a meaning), and so on. SMS is another problem, I’m not fond of phonetic spelling, but either we continue to refer (!) to academic sources (but which ones) either we break the very idea of legitimacy in linguistics…

        Small planet, big village and arising communication problems.

      4. PJ said on January 24, 2015 at 11:54 am
        Reply

        @Fred — It depends on whose linguistics. For instance, “referer” (référer) is an equally legitimate French verb, meaning “to refer”.

        We can perhaps think of the historically-mispelt “referer” (English) as internet linguistics. A somewhat related example could be “program’ (software) vs. “programme” (eg. TV or concert programme).

        However, it is confusing when the internet uses “referer” vs. “referrer” inconsistently. Ay, therein lies the rub … Notice how the article itself missed out Firefox’s about:config > network.http.sendSecureXSiteReferrer — presumably because Martin was only searching for “referer”.

        As such, methinks it would be better if internet specifications were to stick with one for internet usage, keeping in mind that the other is a synonym.

        Although I personally prefer “referrer” (because this is the correct British, American, Canadian, Australian & NZ English spelling), I remain aware that I do not own the internet, & therefore cannot dictate how the internet structures its own linguistics.

    2. Martin Brinkmann said on January 22, 2015 at 8:37 pm
      Reply

      I think it comes from the fact that the misspelling crept in the official standard back then, but was corrected recently for “new” stuff. I think I read that somewhere. Do agree though that it is less than ideal.

      1. PJ said on January 23, 2015 at 8:50 pm
        Reply

        Something went missing from my previous comment (23 Jan 2015, 1:10 pm):
        • HTML5 — meta name=”referrer”

        Some of quirks of ghacks’ comment plugin:-
        1) Bold (b) tags are not recognized.

        2) Trying out (strong) tags. Oh it works here …

        3) Phrases (eg. meta name) can’t be enclosed within the less-than & more-than symbols. The phrase (& even the entire comment itself) will go missing after the comment is published.

      2. PJ said on January 23, 2015 at 1:10 pm
        Reply

        As an untrained lay user, I’m curious as to how programmers remember which spelling to use in which context. Below are what I came across:-

        • PHP — HTTP_REFERER
        • Ruby — URI(request.referer).path
        • Go — func (*Request) Referer

        • HTML DOM — document.referrer
        • HTML5 —
        • ASP — Request.UrlReferrer

        Perhaps programmers & specifiers of web standards can take reference from how the International Code of Botanical Nomenclature (ICBN) very consistently handles synonyms, intentionally “misspelt/ mispelled” names, as well as accidental misspellings/ typos/ misgendered names.

        * ICBN Chapter VII — Orthography & Gender Of [Botanical] Names:
        http://www.bgbm.org/iapt/nomenclature/code/SaintLouis/0065Ch7OaGoNSec1a60.htm

        PS: Given the ongoing inconsistency of “referer” vs. “referrer” wrt usage & acceptance, thank goodness that programming & internet syntax doesn’t also come in male vs. female/ femail/ femayle … flavours/ flavors ! ;)

      3. PJ said on January 23, 2015 at 1:00 pm
        Reply

        @Fred — Writing “referrer” when the program/ language requires “referer” (or vice versa) for a particular context renders your action null/ undefined.

        For instance, I notice that Firefox simply ignores any newly-introduced pref names containing the variant spelling, even though FF accepts the same variant spelling for other pref names:-

        • network.http.sendRefererHeader = 2 (default, ie. send for links & images)

        • network.http.sendReferrerHeader = 0 (ie. never send referrer URL)
        ⇒ new custom pref, ignored by FF, doesn’t override or conflict with the above

        Another example as follows …

        http://validator.w3.org/check?uri=referer
        ⇒ Works ok: “your browser did not send the HTTP “Referer” header field”

        http://validator.w3.org/check?uri=referrer
        ⇒ Doesn’t work: “500 Can’t connect to referrer:80 (Bad hostname ‘referrer’)”

      4. Tom Hawack said on January 22, 2015 at 11:47 pm
        Reply

        I cannot remember which Registry key had been misspelled by Microsoft and couldn’t possibly be changed afterwards for obvious reasons. This key held a famous tweak and many sites proposed this tweak but without the misspelling … leading to a [null] effect :) That was under XP, no idea if it survived afterwards.

      5. Fred said on January 22, 2015 at 10:37 pm
        Reply

        I checked this out and apparently the new way “referer” is the misspelling, but it’s only misspelled in some standards which makes things messy. I’m gonna keep writing “referrer” since that’s right linguistically.

  7. Oxa said on January 22, 2015 at 3:41 pm
    Reply

    What I’ve never really understood is if referrer data is passed from one tab to another in the browser. If, say, I’m on a library website and I open a bookstore website in another tab, does the bookstore get referrer info from the library?

    1. Martin Brinkmann said on January 22, 2015 at 3:43 pm
      Reply

      If you open the bookstore from a link on the library website then yes. If you open a new tab and enter the url manually, then no.

      1. m said on March 16, 2015 at 3:39 am
        Reply

        So what we need is an addon that turns a click on a link into a copy+paste+go of the linked address into the url bar.
        Is there such a thing?

      2. Martin Brinkmann said on March 16, 2015 at 7:50 am
        Reply

        I don’t think there is one.

      3. Ronald said on January 23, 2015 at 9:55 pm
        Reply

        Okay so what you wrote in the article — “… copy a link and paste it in a private browsing window or another browser to make a direct request” — is not really necessary then? Paste or type the destination into a new (private or non-private) tab in the browser, or you could just re-use another already open tab for the purpose.

  8. Tom Hawack said on January 22, 2015 at 2:49 pm
    Reply

    I believe newest Firefox versions have included everything necessary for fine tuning the referrer.
    Here I’ve set as follow :

    user_pref(“network.http.sendRefererHeader”, 2); // Default = 2
    user_pref(“network.http.referer.XOriginPolicy”, 1); // Default = 0
    user_pref(“network.http.referer.spoofSource”, false); // Default = false
    user_pref(“network.http.referer.trimmingPolicy”, 0); // Default = 0
    user_pref(“network.http.sendSecureXSiteReferrer”, false); // Default = true

    Setting network.http.referer.spoofSource to true does lead indeed to some problems even if in my experience not often.
    In fact I’ve only modified the network.http.referer.XOriginPolicy from 0 to 1 and the network.http.sendSecureXSiteReferrer from true to false

  9. vux777 said on January 22, 2015 at 1:01 pm
    Reply

    In Chrome, Opera, Dragon…(chromiums) I added ” –no-referrers” to shortcut (right click shortcut, properties..)
    like this http://prntscr.com/5vkp6o
    no extra services or extensions

  10. Ray said on January 22, 2015 at 11:59 am
    Reply

    On Firefox, I use Smart Referer.

    For Chromium, I use KISS Privacy.

  11. David said on January 22, 2015 at 11:26 am
    Reply

    Good article. I’ll be trying the built-in Fx settings first and will see how that goes.

    HeaderControlRevived is one of only two extensions I now know of that lets you control the Useragent on a per-site basis. Very useful.

    1. David said on January 22, 2015 at 10:33 pm
      Reply

      Sending no referer broke some things already, so I’ve adjusted my preferences to just Spoof (true) and Trim (2). Working well so far.

      1. PJ said on January 25, 2015 at 1:18 pm
        Reply

        @Tom — I think “meh” (‘Smart Referer’ add-on developer) & “JeremiasFromHere” (commenter at Mozilla add-ons) are not the same person ?

        To me, it seems what “JeremiasFromHere” was trying to say is that these 3 “newly-introduced” Firefox prefs (network.http.referer.XOriginPolicy / spoofSource/ trimmingPolicy) have made the ‘Smart Referer’ add-on redundant when the user goes from a.example.com to b.example.com (ie. same base domain but different hosts).

        According to github.com/meh/smart-referer, this add-on (purpose: send referers only when **staying on the same domain**) creates the following new (otherwise non-existent) prefs in about:config.

        • extensions.smart-referer.strict = false [default: true]
        • extensions.smart-referer.allow [space-separated list of wildcard domains]
        • extensions.smart-referer.whitelist [whitelisted URLs; if left empty, pref is disabled]
        • extensions.smart-referer.mode = self [default; other options: “direct” & “user”]

        By default (unless whitelisted), the SR add-on prevents referrers from being sent when one goes from a.example.com to b.example.com, even when network.http.referer.XOriginPolicy = 0 [default, always send].

        In other words, whether or not the Firefox user tweaks his network.http.referer.XOriginPolicy, the settings of the SR add-on are supposed to override the Firefox pref. (Or at this is what I observe in similar referrer-control add-ons wrt Firefox referrer prefs that have been left as default. Interestingly, those referrer add-ons won’t work properly, if I were to set FF’s referrer prefs to match the add-ons’ configurations.)

        I don’t think the SR add-on disturbs Firefox’s default settings for network.http.referer.spoofSource or network.http.referer.trimmingPolicy. If these are changed to non-default values, my guess is that they are ignored if the SR add-on is enabled.

      2. Tom Hawack said on January 24, 2015 at 6:45 pm
        Reply

        Duplicate

      3. Tom Hawack said on January 24, 2015 at 6:10 pm
        Reply

        Worth reading perhaps the note of the developer of Firefox’s Smart Referer add-on, valid for Firefox referrer management itself :

        Since Firefox 28 there are three new items in about:config:

        network.http.referer.XOriginPolicy: 0=always send, 1=send if base domains match, 2=send if hosts match
        network.http.referer.spoofSource: false=real referer, true=spoof referer (use target URI as referer)
        network.http.referer.trimmingPolicy: 0=send full URI, 1=scheme+host+port+path, 2=scheme+host+port

        Referrer processing is done in this order. Thus, setting XOriginPolicy to 2 makes spoofSource and trimmingPolicy useless if going from a.example.com to b.example.com, since no referrer would be send anyway due to the XOriginPolicy.

        Source : https://addons.mozilla.org/en-US/firefox/addon/smart-referer/

        Therefor : network.http.referer.XOriginPolicy is the first setting to consider.

      4. PJ said on January 24, 2015 at 5:46 pm
        Reply

        @David — If your Firefox’s network.http.sendRefererHeader = 2 (default) or 1, Google Search will pass on both the referrer header AND your search terms to the destination sites.

        Also, if you clicked on a Tesco Direct link at iloveduck.com, Tesco Direct will know exactly from which page of iloveduck.com you came from.

        The ‘Referrer Control’ add-on allows you to whitelist sites, so that they don’t break. The tradeoff is that you have to let these sites have the referrer info.

        Note: For the ‘Referrer Control’ add-on to work properly, retain Firefox’s network.http.sendRefererHeader = 2 (default), & set the add-on’s Rule Preferences as “remove” (ie. remove referrer info for non-whitelisted sites). If you set network.http.sendRefererHeader = 0, the sites you whitelist in the add-on will continue to break.

      5. David said on January 24, 2015 at 2:43 pm
        Reply

        Nope, even with just those two sites like Tesco Direct don’t work. Seems to be not such a good idea. Who cares if they know I got there via Google, really?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.