Firefox 59: Referer Path Stripping in Private Browsing - gHacks Tech News

Firefox 59: Referer Path Stripping in Private Browsing

Mozilla plans to strip path information from the referer when visiting third-party sites starting in Firefox 59 Stable. The new feature applies to the browser's private browsing mode only.

Web browsers provide sites with information when connections are initiated. Part of this is the referer value which holds the path of the referring site.

When you click on a link, the URL  the link was clicked on is sent as the referrer by default. The data reveals information to sites. While that is usually limited to the full URL a user came from, it sometimes may include critical information that users may not want to be shared with other sites.

Referer Path Stripping in Private Browsing

private browsing referer stripping firefox 59

The Electronic Frontier Foundation discovered in 2015 that the site healthcare.gov was sending personal data to third-party sites through the referer.

https://www.healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&pregnant=1&zip=85601&state=AZ&income=35000

The string revealed the user's age, zip code and state, income, and that she was pregnant and a smoker to linked third-party sites. While this may not be enough on its own to identify a user, one has to consider that sites may access a user's IP address and other information as well, and that is not taking scripts, and other means of finding out more about site visitor's into account.

Mozilla Firefox 59 will remove path information from the referer in Private Browsing mode when links lead to third-party websites.

Starting with Firefox 59, Private Browsing will remove path information from referrer values sent to third parties (i.e. technically, setting a Referrer Policy of strict-origin-when-cross-origin).

The healthcare.gov link above would be stripped to https://www.healthcare.gov/ so that third-party sites see only the referring domain but not the actual page or other information that may be part of URLs.

The stripping happens only in private browsing mode. Firefox users can start the special browsing mode with a click on Menu and the selection of New Private Window, or by using the shortcut Ctrl-Shift-P.

Add-ons provided Firefox users with options to strip or delete referer values for a long time. Users who prefer to have referring information stripped in regular browsing mode as well may check out extensions such as Smart Referer which does that.

Update

Mozilla removed the original preference that it used to set default referer policy in the Firefox browser. Users need to configure it using the following two preferences now:

  • network.http.referer.defaultPolicy
  • network.http.referer.defaultPolicy.pbmode

The preferences, the pbmode one affects privacy browsing mode only, support the following values:

  • 0 = no-referrer
  • 1 = same-origin
  • 2 = strict-origin-when-cross-origin
  • 3 = (default) no-referrer-when-downgrade

End

Firefox users may also change the preference network.http.referer.userControlPolicy to the value 2 which means strict-origin-when-cross-origin. Check out the Ghacks user.js file on GitHub for additional information on that and related preferences.

The main advantage of using an extension or changing the value of the preference in Firefox's preferences is that Firefox will strip the data in regular browsing mode as well.

Now You: How do you handle referers?

Related articles

Summary
Firefox 59: Referer Path Stripping in Private Browsing
Article Name
Firefox 59: Referer Path Stripping in Private Browsing
Description
Mozilla plans to strip path information from the referer when visiting third-party sites starting in Firefox 59 Stable. The new feature applies to the browser's private browsing mode only.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Shiva said on February 1, 2018 at 6:25 pm
    Reply

    If I remember with Privacy Settings or Random Agent Spoofer add-ons you already do this. Only for ESR now

  2. Jack said on February 1, 2018 at 7:15 pm
    Reply

    It’s just as easy for me to go in the backend and do this.

    1. Zuck said on February 1, 2018 at 7:56 pm
      Reply

      It’s for non tech-savvy users, aka the vast majority. Studies show that they expect Private Browsing modes from the different browser brands to protect their privacy on the web, which is not what they were meant for initially.

      Firefox is going to progressively meet user expectations in this area through 2017-2018-2019. In 2017 Private Browsing got Tracking Protection, it’s going to get First Party Isolation and fingerprinting resistance in 2018, and they’re studying Tor network integration in 2019.

      Features that are smaller in scope but provide useful protection (low hanging fruits) may come along the way, see Ghacks’ article on Mozilla’s study on privacy features if you want hints regarding what could be such low hanging fruits.

      It’s good times for privacy on the web.

  3. P. M. Claarke said on February 1, 2018 at 7:27 pm
    Reply

    I use this since forever:
    https://addons.mozilla.org/en-US/firefox/addon/smart-referer/
    Send referers only when staying on the same domain.

    Before 57+ I had:
    https://addons.mozilla.org/de/firefox/addon/referrer-control/
    (more powerful)

    1. John Fenderson said on February 1, 2018 at 8:01 pm
      Reply

      This. I don’t see any reason for websites to get referrer information unless I’m just coming from a different page on the same site.

    2. Chris said on February 8, 2018 at 6:13 pm
      Reply

      Referer Control:
      https://addons.mozilla.org/en-GB/firefox/addon/referercontrol/?src=api
      is very powerful and compatible with 57+

      You can even define rules based on regular expresssions.
      But the settings page is not a 100% intuitive, in my opinion.

  4. Tom Hawack said on February 1, 2018 at 7:34 pm
    Reply

    Martin you wrote,
    “Firefox users may also change the preference network.http.referer.spoofSource to the value 2 which means strict-origin-when-cross-origin.”

    Isn’t it rather network.http.referer.userControlPolicy ?

    // set the default Referrer Policy (FF53+) – 0=no-referer 1=same-origin 2=strict-origin-when-cross-origin 3=no-referrer-when-downgrade
    user_pref(“network.http.referer.userControlPolicy”, 2); // Default=3

    network.http.referer.spoofSource is true or false :
    // disable spoofing a referer
    user_pref(“network.http.referer.spoofSource”, true); // Default = false

    Hope I’m not mistaking, had to read again my user.js (built on Pants’ Ghacks-user.js, I’ll never repeat it enough)

    1. Richard Allen said on February 1, 2018 at 7:41 pm
      Reply

      Thanks, was going to say the same thing. You beat me to the draw. ;)

    2. Martin Brinkmann said on February 1, 2018 at 8:00 pm
      Reply

      Tom you are right of course. Edited right away ;)

    3. Zuck said on February 1, 2018 at 8:13 pm
      Reply

      You’re right about spoofSource, but userControlPolicy sets the default policy, which means a 2 will set strict-origin-when-cross-origin unless the website specifies otherwise. Other prefs should be used if the goal is to override website decisions. Should we override website decisions ? No because that can be part of security measures taken by the site, and useful for compatibility, Yes because the site may use it for tracking.

      Here’s the list of referrer prefs. (sendSecureXSiteReferrer and enablePerElementReferrer don’t exist any more)

      1. Rush said on February 3, 2018 at 7:37 pm
        Reply

        Optimal about:config settings

        network.http.sendRefererHeader
        2 = (default) send on all requests (e.g. images, links, etc.)
        network.http.referer.trimmingPolicy
        1 = send the URL without its query string
        network.http.referer.XOriginTrimmingPolicy
        2 = only send the origin
        network.http.referer.XOriginPolicy
        0 = (default) send the referrer in all cases
        network.http.referer.spoofSource
        true = send the target URL as the referrer
        network.http.referer.userControlPolicy
        2 = strict-origin-when-cross-origin
        network.http.referer.hideOnionSource
        true – strip out the referrer when it’s a .onion address

        Per: https://chefkochblog.wordpress.com/2018/02/02/referer-path-stripping-in-private-browsing-mode-in-firefox-59/

        Sadly by default the mode is only enabled in the Private Window, for no reason.

      2. Simon Linden said on May 25, 2018 at 10:55 am
        Reply

        the property “network.http.referer.userControlPolicy” don’t exist any more, too.

        https://wiki.mozilla.org/Security/Referrer last changed @ 12.April 2018

        As far as I understand – the property was replaced in FF59+ by two new properties
        “network.http.referer.defaultPolicy”
        “network.http.referer.defaultPolicy.pbmode”

  5. Richard Allen said on February 1, 2018 at 8:02 pm
    Reply

    I’ve been using:
    user_pref(“network.http.referer.XOriginPolicy”, 2);
    user_pref(“network.http.referer.XOriginTrimmingPolicy”, 2);
    user_pref(“network.http.referer.trimmingPolicy”, 1);

    I’ve seldom seen any site breakage with those settings in FF but results will vary. I do have other browsers that use less restrictive referer settings if needed.

    1. leanon said on February 2, 2018 at 1:34 pm
      Reply

      user_pref(“network.http.referer.trimmingPolicy”, 1);

      *confused

      https://www.ghacks.net/2015/01/22/improve-online-privacy-by-controlling-referrer-information/

      1. Richard Allen said on February 6, 2018 at 12:37 am
        Reply

        @leanon
        Sorry, I didn’t have email notification enabled for my comment. You’re right, it is confusing.

        When using “network.http.referer.XOriginPolicy=2” AND “network.http.referer.XOriginTrimmingPolicy=2” the XOriginTrimmingPolicy ends up being redundant because ‘cross-site’ referers are never sent because of “XOriginPolicy=2”. If “XOriginPolicy” is not set or set to 1 then… the “XOriginTrimmingPolicy” actually does something. Sorry for creating confusion, that was on me. I’ve been playing with XOriginPolicy set to 2 and 1.

        If I used “network.http.referer.XOriginPolicy=1” or it’s default setting of 0 AND “network.http.referer.XOriginTrimmingPolicy=2” then the “XOriginTrimmingPolicy” would be in effect, when going from one site to another, instead of “network.http.referer.trimmingPolicy=1” because the XOriginTrimmingPolicy set to 2 is stricter than the trimmingPolicy of 1. The less strict trimmingPolicy would then be in effect when viewing pages on one site (same-origin). If I didn’t set “XOriginTrimmingPolicy” then whatever “network.http.referer.trimmingPolicy” was set to would always be used. If “XOriginTrimmingPolicy” and “trimmingPolicy” are set the same I would just use trimmingPolicy. Doesn’t hurt anything if both are used with the same setting though. Just remember, “network.http.referer.trimmingPolicy” set to 2 WILL break some websites and I can’t sign into my router. I haven’t seen any problems with any of the other settings.

        Play with “network.http.referer.XOriginTrimmingPolicy” and “network.http.referer.trimmingPolicy” on “https://searchengineland.com/an-easy-way-to-check-what-referrer-data-google-bing-or-yahoo-pass-to-your-secure-site-182421” and you can see what I’ve tried to poorly explain. On that page, in the content is a link for “what is my secure referrer”.

        Another referer test: “http://www.stardrifter.org/cgi-bin/ref.cgi”
        About:config referer entries:”https://wiki.mozilla.org/Security/Referrer”

  6. ereedson said on February 2, 2018 at 7:36 am
    Reply

    Other settings about referrer https://wiki.mozilla.org/Security/Referrer

  7. neal said on February 2, 2018 at 11:15 am
    Reply

    Thank you for sharing the referer addon. I was looking for something like that.

  8. Arcionquad said on February 2, 2018 at 5:23 pm
    Reply

    Here are the Firefox referer settings that I use:

    network.http.referer.XOriginPolicy = 1
    [Send referer only when base origins match.]

    network.http.referer.XOriginTrimmingPolicy = 2
    [Send only the origin.]

    network.http.referer.trimmingPolicy = 2
    [Send only the origin.]

    network.http.referer.userControlPolicy = 2
    [strict-origin-when-cross-origin]

    network.http.sendRefererHeader = 2
    [Default: send referer on all request types.]

    I’m pretty sure that one or two of these settings might be redundant.

  9. Dave said on February 2, 2018 at 6:11 pm
    Reply

    How is this going to effect surfing porn using private mode?

    When ever you click on a link to a video on pornhub you get “more like this” below your video. Will stripping the links break this function making it harder to find content you actually want to look at?

    1. Tom Hawack said on February 2, 2018 at 6:37 pm
      Reply

      It won’t Dave. The problematic addressed here is what an external site to the one you’re on receives of information of you concatenated to the link it receives.

      Should the outcome differ from my expectations one would have to rely on imagination to replace “more like this” with excitement for new videos, perhaps “less like this” but possiblye “better than this’.

      Let’s not let them drive us out of our curiosity for innovative and thrilling perspectives. Even if in the area of porn, frankly, they all seem to be the same, no scenario and far from the diversity of the Kama Sutra…

      1. Tom Hawack said on February 2, 2018 at 6:48 pm
        Reply

        Now that I think of it, a side note concerning what links may include even when addressed to another url within the same domain.

        A friend of mine sent me recently an email with a link to a Youtube video he found interesting.
        I replied to him stating that the other video was quite nice as well …
        He then asked me, “What other video?”
        I gave him the link to the other video
        “How did you you know that, how did you find it out?”
        It was included in the link he had sent me : Youtube opened the new link (the one he had sent me) with the one it was sent from included (as “source” or something).

        Morality : beware of the links you send, look at what”s mentioned in the location bar, and strip what you’d consider as superfluous.

  10. Ijadas said on February 4, 2018 at 1:53 pm
    Reply

    Who loves the rest of Firefox once powerful UI customization.. get ready to say slow bye bye, because official Mozilla dev says it is going away in the future.

    Enjoy your lame Chrome imitation soon! Nothing more needed to be said to that Mozilla Open Source abusers. Total brainless morons!

    ————————————————————

    https://www.reddit.com/r/firefox/comments/7tu98a/wontfix_the_future_of_userchromecontent/

    https://bugzilla.mozilla.org/show_bug.cgi?id=1431962#c3

    Kris Maglione=

    “The functionality of userChrome.css will not be supported, for the same reasons that we removed support for legacy themes.

    Support will probably be completely removed from Firefox in the future, yes, but there are no immediate plans to do so.”

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.