Firefox 87 to limit the referrer for all cross-origin requests - gHacks Tech News

Firefox 87 to limit the referrer for all cross-origin requests

Mozilla announced plans to trim the referrer that the Firefox web browse sends when requests are made for all cross-origin requests today to improve privacy.

Requests made by the web browser, e.g. to load a webpage, image, CSS stylesheet, or advertisement, includes the referrer. The referrer is usually the URL that users see in the browser's address bar.

Up until now, Firefox and most other browsers, trimmed the referrer only when requests were made from secure sites, e.g. those using HTTPS, to non-secure sites, e.g. those using HTTP.

firefox 87 limits referrer

The URL may provide information to the servers the requests are made to that go beyond the domain name of a site. It may reveal the article title or page a user accessed, and may also include sensitive information such as search queries.

From Firefox 87 on, Mozilla will trim the referrer automatically for all cross-origin requests, e.g. requests from Site A (example.com) to Site B (secondexample.com).

Site B does not known the exact page the request originated anymore from, and other information, such as search queries, are not leaked either anymore to the site.

Instead of submitting the entire referrer, e.g. only the domain name is submitted.  In technical terms, Firefox is moving from the referrer policy "no-referrer-when-downgrade" to "strict-origin-when-cross-origin".

Starting with Firefox 87, we set the default Referrer Policy to ‘strict-origin-when-cross-origin’ which will trim user sensitive information accessible in the URL. As illustrated in the example above, this new stricter referrer policy will not only trim information for requests going from HTTPS to HTTP, but will also trim path and query information for all cross-origin requests. With that update Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience.

The change is made silently in the background for all users of Firefox 87 or newer. Firefox 87 will be released on March 23, 2021 to the public.

Summary
Firefox 87 to limit the referrer for all cross-origin requests
Article Name
Firefox 87 to limit the referrer for all cross-origin requests
Description
Mozilla announced plans to trim the referrer that the Firefox web browse sends when requests are made for all cross-origin requests today to improve privacy.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: »

Comments

  1. Iron Heart said on March 22, 2021 at 3:06 pm
    Reply

    What Brave and even Chrome have already done… Except that Firefox ges its own article for it. :D

    1. someone said on March 22, 2021 at 5:27 pm
      Reply

      and someone needed to comment to soothe their own ass which is almost always burning for no reason

      1. Anon7 said on March 22, 2021 at 8:43 pm
        Reply

        I can not wait for the “Google Chromium Engine Guys” to swirl around another FF article. Its so entertaining.

        Their only argument is that googles funds FF.

        So funny when chromium forks are completely reliant on the G for their scraps.

        Mozilla has more independence than chromium forks from google.

        (A) They could terminate that google search engine at the drop of a hat when the contract is up, like they did with YAHOO.

        (B) They are looking for alternative means of funding (good sign) through the VPN service they are launching.

        Meanwhile Brave cant even run a tor window correctly due to its crap internal ad blocker which is complete sh1t compared to gorhills masterpiece.

        chromium also prone to WEB RTC leaks, absolute rubbish engine.

        Gecko >Chromium

      2. Unknown person said on March 23, 2021 at 5:58 am
        Reply

        @someone: It’s Iron Heart. His hateboner for Firefox and his slavelike devotion to Brave means he’ll shitpost when he sees a Firefox thread ASAP. It’s like he has nothing better to do in life.

    2. relax fella said on March 22, 2021 at 7:17 pm
      Reply

      And you get to be the first to comment, like in every Mozilla related article! What a crazy world we live in!

    3. Anonymous said on March 22, 2021 at 8:26 pm
      Reply

      The only thing they change is to make it default. You always was able to remove in firefox the whole refers if you wanted. They didn’t do it because sites like instagram and other relay on it for surfing between pages and images. you can look for “network.http.sendRefererHeader” in about:config.

    4. Anon7 said on March 22, 2021 at 8:33 pm
      Reply

      @IronHeart

      Lulz

      > What Brave and even Chrome have already done… Except that Firefox ges its own article for it. :D

      I hope you wore your Brave T-Shirt and Hat when you decided to write that because if you did not ITS VERY UN-BRAVE of you for BRAVE-TODAY.

      1. Iron Heart said on March 23, 2021 at 8:17 am
        Reply

        @the usual haters

        I see you are still allergic to the facts…

        Fact 1: There was a flag in Chromium called chrome://flags/#reduced-referrer-granularity which did the exact same thing the article here described – Google removed it, because it is now the default.

        Fact 2: There was no article about this development in Chromium, but we get a filler article for Firefox.

        You guys are arguing against the facts. :D I don’t think I am the one with the hate boner here.

      2. Anonymous said on March 23, 2021 at 11:10 am
        Reply

        Iron Heart still playing the victim … makes a useless post, gets surprised when called out, attacks “the usual haters”

      3. Iron Heart said on March 23, 2021 at 12:48 pm
        Reply

        @Anonymous

        I don’t need to “play the victim” when it’s obvious that you guys are just unable to cope with reality. In fact, I am laughing at you.

      4. Anon7 said on March 23, 2021 at 1:32 pm
        Reply

        @IronHeart

        Do you really actually believe that google has your best interests at heart when you decide to use chromium or forks of chromium?

        You can almost guarantee that they hate Brave, much more than what you call the “usual haters” on these comments sections.

        I expect Brave to be completely crippled soon enough by googles chromium adopting troublesome web standards. Brave is in bed with the devil.

        Google products should be boycotted in my opinion, their censorship is truly disgusting. I don’t want big-tech deciding who i can or can not listen to. I find them to be deplorable.

        That is resaon enough to take an ethical stand and not use their software as much as possible.

        Google actively censors free speech, mozilla has no power to do so. That is a big difference.

      5. Iron Heart said on March 23, 2021 at 3:41 pm
        Reply

        @Anon7

        1) The web standards are also being implemented by browsers other than Chromium. That’s why they are called “web standards”.

        2) That Mozilla has a code base different from Chromium does not automatically make them trustworthy. That’s a non-sequitur.

        3) Browser devs can ungoogle Chromium and there are also internal kill switches for various web standards.

        4) If you are worried about censorship, perhaps you shouldn’t use a browser from a company that claims that “we need more than deplatforming” (Mozilla). They can also censor which websites you are allowed to go to within the browser, no problem.

        But I know that you are woefully unable to understand all of these points…

      6. Anon7 said on March 23, 2021 at 7:46 pm
        Reply

        > 1) The web standards are also being implemented by browsers other than Chromium. That’s why they are called “web standards”.

        Mozilla is continuing to support blocking webrequest calls when manifest V3 arrives, chromium will not support it. Mozilla are more accommodating to excellent extensions like UBO. Google chromium is trying to make life hell for such extensions.

        > 2) That Mozilla has a code base different from Chromium does not automatically make them trustworthy.

        Who the hell releases open source code for their browser and then makes their browser totally proprietary? google will always be automatically more untrustworthy due to their history.

        > Browser devs can ungoogle Chromium and there are also internal kill switches for various web standards.

        Will brave offer support to block webrequest calls when V3 arrives so UBO can be used? Or should people be relying on their inferior ad blocker?

        > If you are worried about censorship, perhaps you shouldn’t use a browser from a company that claims that “we need more than deplatforming” (Mozilla). They can also censor which websites you are allowed to go to within the browser, no problem.

        What websites are they censoring? you’re full of sh1t, no one should be taking the rants of their ceo seriously. She is a virtue signaler. Until there is active censorship, your argument falls dead on its ass.

        > But I know that you are woefully unable to understand all of these points…

        I understand that google is way worse than what mozilla is.

      7. Anon7 said on March 23, 2021 at 8:31 pm
        Reply

        It will be interesting to see how Brave can afford the extra cost for them to keep the Chromium code base unlinked from the mainstream direction that google is taking it. I have no confidence in them to be able to keep up.

        Manifest V3 is nowhere near finished yet (despite what some may say), its full implemtation is only beginning. Brave and vivaldi are going to go the way of the dodo by trying to keep up with chromium codes invasive privacy practices. Googles direction is completely the opposite direction to what brave or vivaldi wants. Breakage, breakage, UBO works way better on firefox not chromium forks. Brave saying they are supporting UBO is a joke.

        Google hate UBO. Brave a privacy browser supports chromium, what a joke. It would stand to reason that since their tor windows broke, UBO will also be prone to breakage on chromium forks going forward.

    5. Tom said on March 23, 2021 at 11:35 am
      Reply

      > What Brave and even Chrome have already done

      Firefox as well – it’s default in private mode since three years. New in Firefox 87 is the expanding to every user. But Firefox users are already able to do this since many years, even in non-private mode, if they wanted to do this.

    6. Anonymous said on March 23, 2021 at 4:45 pm
      Reply

      https://bugzilla.mozilla.org/show_bug.cgi?id=1589074#c0

      “Google planned to ship that, I think it’s worth shipping it to in Firefox. But maybe we can wait until successfully shipping in Chrome”

      Google decides. Mozilla follows.

      1. Someone said on March 24, 2021 at 11:55 am
        Reply

        @ironheart usual haters? Lmao its you who’s active 24*7 with almost no life trying to prove something in almost every other post of ghacks

      2. Iron Heart said on March 24, 2021 at 1:31 pm
        Reply

        @Someone

        And this is your business exactly how? Also, my post didn’t contain any hate, just two facts. Writing that took me, like, under 1 minute, approximately.

      3. Unknown person said on March 25, 2021 at 8:39 am
        Reply

        And the comment section is yours?

        You want to post in public space, then get ready for people to push back if they don’t like what you’re doing.

        But hey, cry more, you no lfie.

      4. someone said on March 25, 2021 at 3:04 pm
        Reply

        @bronzeheart, like my post had some hate

  2. ConspiracyTheorist said on March 22, 2021 at 3:31 pm
    Reply

    Please, can you ask Mozilla to add an option to completely disable all of its auto connections that are opened every time we run the application? The functions that make use of these connections are not necessary at all for a web browser to work.

    “Oh, it’s for security, privacy, performance purposes,” they say. Always using a noble pretext to violate user’s privacy. Each version they make more difficult for us to disable those connections. On 60+ they made it impossible to totally disable some.

    1. FormerFirefoxUser said on March 23, 2021 at 8:20 am
      Reply

      @ConspiracyTheorist Use Icecat based on latest Firefox ESR. Most autoconnections are disabled by default and you can disable the rest by changing the configurations.

    2. FormerFirefoxUser said on March 23, 2021 at 8:41 am
      Reply

      But in the Icecat I am using, there is a disadvantage that if you have resistFingerprinting enabled then the the browser will reveal that it is Icecat in the useragent from javascript.
      https://browserleaks.com/javascript

      1. Anonymous said on March 23, 2021 at 11:31 am
        Reply

        Revealing not using a mainstream browser instead of spoofing the user agent string may have a small fingerprinting cost but this has to be balanced with the benefit of telling sites and browser market share statistics tools that mainstream browsers are less hegemonic than they would look like if the user agent string was spoofed. The big browser companies probably love the idea that every user is pretending to use their browsers, it helps them kill the ethical alternatives. Adding a little bit of fingerprinting fear helps that.

  3. finoderi said on March 22, 2021 at 4:35 pm
    Reply

    Yep, the flag for reducing referer granularity was there a year ago and since a few months ago it’s on by default.

  4. Anonymous said on March 22, 2021 at 4:41 pm
    Reply

    how does it feel to have a web browser live rent-free inside your head every single day?

  5. walker said on March 22, 2021 at 5:02 pm
    Reply

    better late than never, ymmv :)

  6. Anonymous said on March 22, 2021 at 5:10 pm
    Reply

    Trim only, not remove or spoof to target, still leaking the domain name. That’s good but not enough. Every contacted third-party will be able to know what domain the user made the request from and if ubiquitous enough build a browsing profile. Sites are not entitled either to know where one browsed to their site from. And this should be done for same domain browsing too.

    From the user point of view, the only reason not to fully kill the referrer would be the risk of a few sites being broken. But I have spoofed all referers to target sites for years and met problems only with a few sites.

    From the browser companies point of view, the interests of trackers weight a lot in the decisions. Mozilla implemented a click tracking standard after all called hyperlink auditing, and tried to enforce it on. This is why they should have have done more and earlier but did not. And will pretext dishonestly that site breakage is their only concern for not doing it. But there are other circumstances where much more serious massive breakage of the web without really better positive benefits did not stop them from applying their decisions, because it was what Google or another one wanted for its own reasons. Consider also that if a major browser enforced the death of referrers, it would pressure the few sites that require it to stop requiring it to work, so the small site breaking problem would become even smaller.

    Referrer extensions are thus still an important privacy addition, because the new default will be far from enough, Mozilla being in bed with the tracking business. This one will even include an updated whitelist to take care of broken sites:

    https://addons.mozilla.org/firefox/addon/smart-referer/

    This one is another good option:

    https://addons.mozilla.org/firefox/addon/referer-modifier/

    1. Anon said on March 22, 2021 at 9:13 pm
      Reply

      Hi there! Please, few questions:

      1) Is it possible to spoof all referrers (as you did), but without using add-ons?

      2) What’s the benefit of using referrer add-ons?

      Thks!

      1. Anonymous said on March 23, 2021 at 11:24 am
        Reply

        1) Yes, on Firefox versions that still allow to access about:config, and if they have not yet neutered those preferences in those versions, there are prefs to configure referrers:

        https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/

        2) However I don’t think that exceptions can be set unless add-ons are used

      2. Anonymous said on March 23, 2021 at 11:42 am
        Reply

        To be more accurate, about:config prefs allow various forms of trimming but I am not aware of prefs that allow spoofing, another reason to use referrer add-ons (on the Firefox versions and forks where Mozilla still allows you to use them it at the moment).

        I have found spoofing referrer to the target domain less breaking than plain removing it. I think that the Smart Referer approach is to send the full target URL as referrer by default, which is fine too.

      3. Anon said on March 23, 2021 at 9:57 pm
        Reply

        Thks.

  7. m3city said on March 22, 2021 at 5:48 pm
    Reply

    And I, as an user of FF didn’t know. I don’t care for Brave or Chrome related news. And FF get’s an article about it because (thats my assumption) author likes/uses this software.
    I won’t remember about it in one weeks time, but I guess it’s good. At least FF doesnt add anything or tamper with typed urls like some browsers did in the past ;) (by a mistake of course…)

  8. Yash said on March 22, 2021 at 9:37 pm
    Reply

    I have Fennec and Iceraven(for all addons) installed in my phone along with Firefox. Now in Fennec and Iceraven I can access about:config option and so I have set network.http.sendrefererheader and network.http.sendoriginheader to zero, but it does break an odd site here and there(so far only banking related). How are these options going to change? If someone can explain in easy and unhateful words, it would be greatly appreciated.

  9. Jack said on March 22, 2021 at 11:08 pm
    Reply

    I haven’t sent a real referer in years (by using a referer extension in Firefox), and have not experienced an issue on well over 99% of sites I’ve visited.

    What sucks is when a site is so poorly written that it still requires a specific referer. It’s trivial to spoof a referer, so why any site still checks them before working properly is just silliness. It’s a completely fake security measure, perhaps done to present “security theatre” to ignorant management.

    Referers are only somewhat useful as a tracking mechanism, and if a site depends on tracking users for it’s success, it would be best if they just post that detail on their front page so people know not to use that site.

    BTW, hcaptcha.com and sourceforge.net are 2 of the worst offenders of sites requiring referers. As such, I avoid any site that usse hCaptcha and no longer use SourceForge to host my coding projects.

    1. Anonymous said on March 23, 2021 at 11:36 am
      Reply

      I had added hcaptcha in my exception list as needing to remove referrer for it instead of spoofing it to destination, but I haven’t noticed any problem on sourceforge when spoofing referrer.

  10. Anonymous said on March 23, 2021 at 1:25 am
    Reply

    Something else to know: even if you remove or fully spoof your referrers with an extension instead of keeping the domain, many requests will still also contain an “Origin” header, which is like a “lighter” brother of the referrer header that sends only the domain, invented much later by Google with the hope that this one would survive even when the referrer was manually killed by the user. To tell you the current state of privacy awareness in the modern web, even the developer of the Smart Referer add-on was not aware of the existence of this now 10-year-old other privacy hostile header.

    Extensions to counter this other privacy threat:

    POOP:
    https://addons.mozilla.org/firefox/addon/privacy-oriented-origin-policy/

    Only work in progress for inclusion in Smart Referer:
    https://addons.mozilla.org/firefox/addon/smart-referer/
    https://gitlab.com/smart-referrer/smart-referer/-/issues/118

    Of course all those are a drop in the ocean with very few users, and browser companies should be the ones doing it. Which they won’t do, for already discussed reasons.

  11. Titus said on March 23, 2021 at 4:51 am
    Reply

    I wonder if “Privacy-Oriented Origin Policy” is still useful as an addon after this update, anyones thoughts?

    1. Anonymous said on March 23, 2021 at 11:49 am
      Reply

      I think that this Firefox update:

      – is only about the referrer header, not about the origin header, and
      – still leaks the origin domain in the referrers, which is the only thing that the origin header leaks, so this update would not care about the origin header anyway

  12. Anon7 said on March 23, 2021 at 6:48 am
    Reply

    When you put too much extensions in your browser you could be increasing the threat to your privacy.

    An extension for this that and another, it can be counter-productive.

    Many extensions are pinging home all the time. Sometimes its best to take the bad with the good rather than trying to correct the bad with potentially even more bad. If you trust the extension though, go ahead and use it.

    1. Anonymous said on March 23, 2021 at 12:09 pm
      Reply

      These overbroad fearmongering ideas against all privacy extensions, that statistically they would cost more in privacy than they would bring, because of fingerprinting or because of a malicious author, come from tracking companies. This includes Mozilla and of course Google. This is the false motive behind Google’s webextension manifest v3. This has been also a way for Mozilla to ransom innocent developers to have their “unverified dangerous extension” or something warning removed in priority by paying them.

      I find it easy to spot trustworthy extension developers and suspicious ones. For those who can’t do that, they can ask for advice. The Firefox extension system is largely trustworthy, but browser companies have interests in destroying trust in it much beyond the reality of the threat. The developers of those privacy extensions like POOP, Smart Referer or Referer Modifier are much, much more trustworthy than the browser developer Mozilla itself that arrogates to itself the right to tell which ones should be trusted. Mozilla has been recommending or promoting shady extensions like Ghostery or Honey for money, that’s true. So avoid shady companies, but do not boycott the people who fight them.

  13. 45rpm said on March 23, 2021 at 8:52 am
    Reply

    The big takeaway from the comments is that it’s highly unlikely any of you have ever had sex.

    1. walker said on March 23, 2021 at 10:32 am
      Reply

      wrong deduction!

  14. Anonymous said on March 23, 2021 at 4:52 pm
    Reply

    https://bugzilla.mozilla.org/show_bug.cgi?id=1589074#c30

    “I think for now we want to allow websites to override this, similar to Chrome”

    So contrary to user interests, user expectations, and privacy, sites can apparently override this new referrer policy with a less private one and still leak the full urls if they want to. It would seem that even Safari was less dickish that the Google duo here:

    https://github.com/w3c/webappsec-referrer-policy/pull/125#issuecomment-619460219

    “Safari’s change is not a change of default policy. Sites can’t change it, only users can. Third-party referrers are downgraded to origin by default regardless of the referrer policy set by the website.”

  15. Anonymous said on March 23, 2021 at 5:31 pm
    Reply

    https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/

    “Websites can use referrer information for many fairly innocent uses, including analytics, logging, or for optimizing caching.”
    “Unfortunately, the HTTP Referrer header often contains private user data: it can reveal which articles a user is reading on the referring website, or even include information on a user’s account on a website.”
    “Starting with Firefox 87, we set the default Referrer Policy to ‘strict-origin-when-cross-origin’ which will trim user sensitive information accessible in the URL.”

    Analytics using browsing data leaked to third parties from referrers are “innocent” ?
    Of course, this is written on a Mozilla site that connects to the innocent Google Analytics.

    Third-parties knowing what domains you browse is “innocent analytics” use of your browsing data, only the path/query part is considered as something “sensitive” at Google & Mozilla. The rest belongs to them.

  16. Ohim said on March 23, 2021 at 6:07 pm
    Reply

    “Mozilla will trim the referrer automatically for all cross-origin requests, e.g. requests from Site A (example.com) to Site B (secondexample.com).”

    As far as I understand, ‘network.http.referer.defaultPolicy’ will be 2 instead of 3 (as well as in Private Mode ‘network.http.referer.defaultPolicy.pbmode’)
    Due to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#strict-origin-when-cross-origin it’s just new default (!) rererrer-policy if no policy is specified (or invalid) on the site.

    Will Firefox be follow less restrictive policies if they are on the site?

  17. NeededMoreBETA said on March 23, 2021 at 7:30 pm
    Reply

    In Firefox 86.1 I’m attempting to cut and paste some Article title into A Disqus forum and something interesting happens along with that cut and pasted text and in the same color as the pasted page’s background I get more than the pasted text after submitting the post via Disqus’ system that changes any colored text into black on while text by default once the post operation is completed so a bunch of hidden text appears that’s a duplication of the website address that I had already copied over so as to make a proper citation to the article.

    So I’ve taken to calling this cut and paste stuffing of hidden text that is set to the same color as the background via some nifty/nefarious scripting and really Firefox needs a Paste unformatted right clock modal dialog option that can remove all but the actually copied text so that’s it’s easier to get that rather than having to do an intermediary paste to a text only editor and then re-cutting and pasting that way.

    And Firefox blocking all 3rd party cookies has really borked Disqus forums posting while trying to remain logged into Disqus and the standard Strict Privacy setting keeps me logged in to Disqus but prevents me from directly uploading content form my laptop/PC! And if I set a custom Privacy setting that allows 3rd part cookies only for pages visited I can upload content but have to re-login with each page reload even on the same website.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.