-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wiki: revisit smart referer recommendation #1433
Comments
It's been mentioned before changing the rewrite mode to Note that said security issue is specifically with CSRF which reads:
If I read this correctly, it implies that there is no security problem on sites that implement the second method. |
that seems odd, because whitelisting would default referers to a normal behavior.
at the cost of security, that's a big nope. if SR doesn't work even with the whitelist, imo it's best to relax
but we do not know who, what and when, meaning that there's no guarantee that's used unless there are some stats on the internet to back this up. |
Fwiw I use these settings #1326 (comment) and never experienced any breakage. |
Yeah I saw that. I tried it again and it worked. Not sure what happened last time. |
@g-2-s and @remyabel2 |
maybe it's time to find a better referer extension. not saying that SR is broken, but the lack of activity for years (from memory) is not particularly inspiring especially given future changes that I think will impact (manifest 3, permissions, service workers background pages). I think sooner or later we're probably gong to need to drop this extension as no longer maintained terms: (soz if I have this back to front) origin = where the item is held, destination = the site that requested it So is there an extension that blocks cross-site (eTLD+1 + scheme) referrers by default (like TZP's So, most sites (YMMV) work fine. Then you get a site that won't load images, so you add to the spoof list, it works. Another site, videos and images won't load - you add it to the spoof list, if doesn't work - you add it to the ignorelist, it works IDK if you can do anything about Sorry for my ignorance, I do nto use SR and can't remember anything about it when I did a screenshot a few months ago
|
yes, once rewrite mode is changed to Send nothing as referer, looking like a direct hit. at that point the user would need to either:
but IDK if that's worth it when one could simply relax |
blocking far outweighs relaxing. User goes to SiteA with youtube vid - why tell youtube your IP was on SiteA |
This comment was marked as outdated.
This comment was marked as outdated.
Missing configuration of Source -> Target domain pair. 😢 |
All I want is
What I don't want
|
For example... I would like to have |
^ so you whitelist |
^^ Not sure I understand your saying. 😢 ❤️ |
Here's hoping uBO adds this - uBlockOrigin/uBlock-issues#1663 (comment) - then users can block by default but allow per eTLD+1. No Spoofing or affecting of CSRF. This is honestly the only way to do it IMO - simple on/off - I personally don't think we need any of the complexity of origin vs destination And it would be one less extension for those who use Smart Referrer. Most users wouldn't want to disable all cross-site referers as per our default, it breaks too many platforms and properties. It's fine for me, but I'm also happy to use uBO to break most 3rd party anyway. The referrer pref 1601 is probably the biggest pref users have an issue with. If uBO added a block/enable per-site scope for this, then we could make that pref inactive, and just add a referer note to the uBO setup instructions |
that would be amazing and it would fit very well in uBO advanced mode (block everything and whitelist like in medium mode would be chef kiss). |
I've been using Beta 1.0beta1 for some days now and it seems to do its job nicely, I think. Dev also looks active and eager to improve it further so that's a big bonus in my book. |
I ask you to take a look at Referer Modifier again now that it has reached v1.1.0 and maybe really consider replacing Smart Referer with it. |
currently trying out referer modifier - it definitely needs some more focus on ease-of-use, but it's working great so far. |
Looks like referer modifier requires a lot of manual tweaking in order to make it effective. The default setting is almost the same as |
closing as invalid - I will not be recommending any referer extensions in future, see linked issue below |
the wiki mentions smart referer as a potential alternative to
1601
in case of breakage, and it also includes a couple tweaks (whitelist and strict mode).however one of the default settings of SR is rewrite mode, quoting the readme of the project:
this means that out of the box SR is spoofing referers which is not a good idea for security, and in fact it's enforced false using
6002
.the wiki should recommend changing rewrite mode to "Send nothing".
The text was updated successfully, but these errors were encountered: