Firefox 59: Referer Path Stripping in Private Browsing

Martin Brinkmann
Feb 1, 2018
Updated • May 27, 2018

Mozilla plans to strip path information from the referer when visiting third-party sites starting in Firefox 59 Stable. The new feature applies to the browser's private browsing mode only.

Web browsers provide sites with information when connections are initiated. Part of this is the referer value which holds the path of the referring site.

When you click on a link, the URL  the link was clicked on is sent as the referrer by default. The data reveals information to sites. While that is usually limited to the full URL a user came from, it sometimes may include critical information that users may not want to be shared with other sites.

Referer Path Stripping in Private Browsing

private browsing referer stripping firefox 59

The Electronic Frontier Foundation discovered in 2015 that the site was sending personal data to third-party sites through the referer.

The string revealed the user's age, zip code and state, income, and that she was pregnant and a smoker to linked third-party sites. While this may not be enough on its own to identify a user, one has to consider that sites may access a user's IP address and other information as well, and that is not taking scripts, and other means of finding out more about site visitor's into account.

Mozilla Firefox 59 will remove path information from the referer in Private Browsing mode when links lead to third-party websites.

Starting with Firefox 59, Private Browsing will remove path information from referrer values sent to third parties (i.e. technically, setting a Referrer Policy of strict-origin-when-cross-origin).

The link above would be stripped to so that third-party sites see only the referring domain but not the actual page or other information that may be part of URLs.

The stripping happens only in private browsing mode. Firefox users can start the special browsing mode with a click on Menu and the selection of New Private Window, or by using the shortcut Ctrl-Shift-P.

Add-ons provided Firefox users with options to strip or delete referer values for a long time. Users who prefer to have referring information stripped in regular browsing mode as well may check out extensions such as Smart Referer which does that.


Mozilla removed the original preference that it used to set default referer policy in the Firefox browser. Users need to configure it using the following two preferences now:

  • network.http.referer.defaultPolicy
  • network.http.referer.defaultPolicy.pbmode

The preferences, the pbmode one affects privacy browsing mode only, support the following values:

  • 0 = no-referrer
  • 1 = same-origin
  • 2 = strict-origin-when-cross-origin
  • 3 = (default) no-referrer-when-downgrade


Firefox users may also change the preference network.http.referer.userControlPolicy to the value 2 which means strict-origin-when-cross-origin. Check out the Ghacks user.js file on GitHub for additional information on that and related preferences.

The main advantage of using an extension or changing the value of the preference in Firefox's preferences is that Firefox will strip the data in regular browsing mode as well.

Now You: How do you handle referers?

Related articles

Firefox 59: Referer Path Stripping in Private Browsing
Article Name
Firefox 59: Referer Path Stripping in Private Browsing
Mozilla plans to strip path information from the referer when visiting third-party sites starting in Firefox 59 Stable. The new feature applies to the browser's private browsing mode only.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Ijadas said on February 4, 2018 at 1:53 pm

    Who loves the rest of Firefox once powerful UI customization.. get ready to say slow bye bye, because official Mozilla dev says it is going away in the future.

    Enjoy your lame Chrome imitation soon! Nothing more needed to be said to that Mozilla Open Source abusers. Total brainless morons!


    Kris Maglione=

    “The functionality of userChrome.css will not be supported, for the same reasons that we removed support for legacy themes.

    Support will probably be completely removed from Firefox in the future, yes, but there are no immediate plans to do so.”

  2. Dave said on February 2, 2018 at 6:11 pm

    How is this going to effect surfing porn using private mode?

    When ever you click on a link to a video on pornhub you get “more like this” below your video. Will stripping the links break this function making it harder to find content you actually want to look at?

    1. Tom Hawack said on February 2, 2018 at 6:37 pm

      It won’t Dave. The problematic addressed here is what an external site to the one you’re on receives of information of you concatenated to the link it receives.

      Should the outcome differ from my expectations one would have to rely on imagination to replace “more like this” with excitement for new videos, perhaps “less like this” but possiblye “better than this’.

      Let’s not let them drive us out of our curiosity for innovative and thrilling perspectives. Even if in the area of porn, frankly, they all seem to be the same, no scenario and far from the diversity of the Kama Sutra…

      1. Tom Hawack said on February 2, 2018 at 6:48 pm

        Now that I think of it, a side note concerning what links may include even when addressed to another url within the same domain.

        A friend of mine sent me recently an email with a link to a Youtube video he found interesting.
        I replied to him stating that the other video was quite nice as well …
        He then asked me, “What other video?”
        I gave him the link to the other video
        “How did you you know that, how did you find it out?”
        It was included in the link he had sent me : Youtube opened the new link (the one he had sent me) with the one it was sent from included (as “source” or something).

        Morality : beware of the links you send, look at what”s mentioned in the location bar, and strip what you’d consider as superfluous.

  3. Arcionquad said on February 2, 2018 at 5:23 pm

    Here are the Firefox referer settings that I use:

    network.http.referer.XOriginPolicy = 1
    [Send referer only when base origins match.]

    network.http.referer.XOriginTrimmingPolicy = 2
    [Send only the origin.]

    network.http.referer.trimmingPolicy = 2
    [Send only the origin.]

    network.http.referer.userControlPolicy = 2

    network.http.sendRefererHeader = 2
    [Default: send referer on all request types.]

    I’m pretty sure that one or two of these settings might be redundant.

  4. neal said on February 2, 2018 at 11:15 am

    Thank you for sharing the referer addon. I was looking for something like that.

  5. ereedson said on February 2, 2018 at 7:36 am

    Other settings about referrer

  6. Richard Allen said on February 1, 2018 at 8:02 pm

    I’ve been using:
    user_pref(“network.http.referer.XOriginPolicy”, 2);
    user_pref(“network.http.referer.XOriginTrimmingPolicy”, 2);
    user_pref(“network.http.referer.trimmingPolicy”, 1);

    I’ve seldom seen any site breakage with those settings in FF but results will vary. I do have other browsers that use less restrictive referer settings if needed.

    1. leanon said on February 2, 2018 at 1:34 pm

      user_pref(“network.http.referer.trimmingPolicy”, 1);


      1. Richard Allen said on February 6, 2018 at 12:37 am

        Sorry, I didn’t have email notification enabled for my comment. You’re right, it is confusing.

        When using “network.http.referer.XOriginPolicy=2” AND “network.http.referer.XOriginTrimmingPolicy=2” the XOriginTrimmingPolicy ends up being redundant because ‘cross-site’ referers are never sent because of “XOriginPolicy=2”. If “XOriginPolicy” is not set or set to 1 then… the “XOriginTrimmingPolicy” actually does something. Sorry for creating confusion, that was on me. I’ve been playing with XOriginPolicy set to 2 and 1.

        If I used “network.http.referer.XOriginPolicy=1” or it’s default setting of 0 AND “network.http.referer.XOriginTrimmingPolicy=2” then the “XOriginTrimmingPolicy” would be in effect, when going from one site to another, instead of “network.http.referer.trimmingPolicy=1” because the XOriginTrimmingPolicy set to 2 is stricter than the trimmingPolicy of 1. The less strict trimmingPolicy would then be in effect when viewing pages on one site (same-origin). If I didn’t set “XOriginTrimmingPolicy” then whatever “network.http.referer.trimmingPolicy” was set to would always be used. If “XOriginTrimmingPolicy” and “trimmingPolicy” are set the same I would just use trimmingPolicy. Doesn’t hurt anything if both are used with the same setting though. Just remember, “network.http.referer.trimmingPolicy” set to 2 WILL break some websites and I can’t sign into my router. I haven’t seen any problems with any of the other settings.

        Play with “network.http.referer.XOriginTrimmingPolicy” and “network.http.referer.trimmingPolicy” on “” and you can see what I’ve tried to poorly explain. On that page, in the content is a link for “what is my secure referrer”.

        Another referer test: “”
        About:config referer entries:””

  7. Tom Hawack said on February 1, 2018 at 7:34 pm

    Martin you wrote,
    “Firefox users may also change the preference network.http.referer.spoofSource to the value 2 which means strict-origin-when-cross-origin.”

    Isn’t it rather network.http.referer.userControlPolicy ?

    // set the default Referrer Policy (FF53+) – 0=no-referer 1=same-origin 2=strict-origin-when-cross-origin 3=no-referrer-when-downgrade
    user_pref(“network.http.referer.userControlPolicy”, 2); // Default=3

    network.http.referer.spoofSource is true or false :
    // disable spoofing a referer
    user_pref(“network.http.referer.spoofSource”, true); // Default = false

    Hope I’m not mistaking, had to read again my user.js (built on Pants’ Ghacks-user.js, I’ll never repeat it enough)

    1. Zuck said on February 1, 2018 at 8:13 pm

      You’re right about spoofSource, but userControlPolicy sets the default policy, which means a 2 will set strict-origin-when-cross-origin unless the website specifies otherwise. Other prefs should be used if the goal is to override website decisions. Should we override website decisions ? No because that can be part of security measures taken by the site, and useful for compatibility, Yes because the site may use it for tracking.

      Here’s the list of referrer prefs. (sendSecureXSiteReferrer and enablePerElementReferrer don’t exist any more)

      1. Simon Linden said on May 25, 2018 at 10:55 am

        the property “network.http.referer.userControlPolicy” don’t exist any more, too. last changed @ 12.April 2018

        As far as I understand – the property was replaced in FF59+ by two new properties

      2. Rush said on February 3, 2018 at 7:37 pm

        Optimal about:config settings

        2 = (default) send on all requests (e.g. images, links, etc.)
        1 = send the URL without its query string
        2 = only send the origin
        0 = (default) send the referrer in all cases
        true = send the target URL as the referrer
        2 = strict-origin-when-cross-origin
        true – strip out the referrer when it’s a .onion address


        Sadly by default the mode is only enabled in the Private Window, for no reason.

    2. Martin Brinkmann said on February 1, 2018 at 8:00 pm

      Tom you are right of course. Edited right away ;)

    3. Richard Allen said on February 1, 2018 at 7:41 pm

      Thanks, was going to say the same thing. You beat me to the draw. ;)

  8. P. M. Claarke said on February 1, 2018 at 7:27 pm

    I use this since forever:
    Send referers only when staying on the same domain.

    Before 57+ I had:
    (more powerful)

    1. Chris said on February 8, 2018 at 6:13 pm

      Referer Control:
      is very powerful and compatible with 57+

      You can even define rules based on regular expresssions.
      But the settings page is not a 100% intuitive, in my opinion.

    2. John Fenderson said on February 1, 2018 at 8:01 pm

      This. I don’t see any reason for websites to get referrer information unless I’m just coming from a different page on the same site.

  9. Jack said on February 1, 2018 at 7:15 pm

    It’s just as easy for me to go in the backend and do this.

    1. Zuck said on February 1, 2018 at 7:56 pm

      It’s for non tech-savvy users, aka the vast majority. Studies show that they expect Private Browsing modes from the different browser brands to protect their privacy on the web, which is not what they were meant for initially.

      Firefox is going to progressively meet user expectations in this area through 2017-2018-2019. In 2017 Private Browsing got Tracking Protection, it’s going to get First Party Isolation and fingerprinting resistance in 2018, and they’re studying Tor network integration in 2019.

      Features that are smaller in scope but provide useful protection (low hanging fruits) may come along the way, see Ghacks’ article on Mozilla’s study on privacy features if you want hints regarding what could be such low hanging fruits.

      It’s good times for privacy on the web.

  10. Shiva said on February 1, 2018 at 6:25 pm

    If I remember with Privacy Settings or Random Agent Spoofer add-ons you already do this. Only for ESR now

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.