Firefox 59: Referer Path Stripping in Private Browsing
Mozilla plans to strip path information from the referer when visiting third-party sites starting in Firefox 59 Stable. The new feature applies to the browser's private browsing mode only.
Web browsers provide sites with information when connections are initiated. Part of this is the referer value which holds the path of the referring site.
When you click on a link, the URLÂ the link was clicked on is sent as the referrer by default. The data reveals information to sites. While that is usually limited to the full URL a user came from, it sometimes may include critical information that users may not want to be shared with other sites.
Referer Path Stripping in Private Browsing
The Electronic Frontier Foundation discovered in 2015 that the site healthcare.gov was sending personal data to third-party sites through the referer.
The string revealed the user's age, zip code and state, income, and that she was pregnant and a smoker to linked third-party sites. While this may not be enough on its own to identify a user, one has to consider that sites may access a user's IP address and other information as well, and that is not taking scripts, and other means of finding out more about site visitor's into account.
Mozilla Firefox 59 will remove path information from the referer in Private Browsing mode when links lead to third-party websites.
Starting with Firefox 59, Private Browsing will remove path information from referrer values sent to third parties (i.e. technically, setting a Referrer Policy of strict-origin-when-cross-origin).
The healthcare.gov link above would be stripped to https://www.healthcare.gov/ so that third-party sites see only the referring domain but not the actual page or other information that may be part of URLs.
The stripping happens only in private browsing mode. Firefox users can start the special browsing mode with a click on Menu and the selection of New Private Window, or by using the shortcut Ctrl-Shift-P.
Add-ons provided Firefox users with options to strip or delete referer values for a long time. Users who prefer to have referring information stripped in regular browsing mode as well may check out extensions such as Smart Referer which does that.
Mozilla removed the original preference that it used to set default referer policy in the Firefox browser. Users need to configure it using the following two preferences now:
The preferences, the pbmode one affects privacy browsing mode only, support the following values:
- 0 = no-referrer
- 1 = same-origin
- 2 = strict-origin-when-cross-origin
- 3 = (default) no-referrer-when-downgrade
Firefox users may also change the preferenceÂ network.http.referer.userControlPolicy to the value 2 which means strict-origin-when-cross-origin. Check out the Ghacks user.js file on GitHub for additional information on that and related preferences.
The main advantage of using an extension or changing the value of the preference in Firefox's preferences is that Firefox will strip the data in regular browsing mode as well.
Now You: How do you handle referers?