Q: Referers: prefs + uM + Smart Referer

[crssi]

No doubt the ghacks-user.js spoof refering solution is very very good, but occasionally I have a need to relax those a bit.

I am just wondering what you guys are using for real to deal with those?
Is it uM or Smart Referer, or something else?

[Forsaked]

I disabled every referer spoofing in the user.js and just use uMatrix to handle this.

[crssi]

Thank you for feedback 👍
@Thorin-Oakenpants what are your active prefs then, since I am also leaning toward uM now, to handle cross origins. I have also troubles to find the details how uM hadles those.

[crssi]

but... cross origins are already covered by user.js master.
I am puzzled now why you need uM referer spoofing for?

[Forsaked]

@Thorin-Oakenpants Yeah, i just use the default values.

[crssi]

Cool... the only diff I can see is network.http.referer.XOriginPolicy to reset from 1 into 0 (default) and use uM referrer-spoof: * true

Thank you @Forsaked and @Thorin-Oakenpants

If there are any other ideas... I am open to it. :)

Cheers

[crssi]

@Thorin-Oakenpants

I just wanna know exactly what uM spoofs as for 3rd party - since the extension overrides any FF prefs - someone dig out that info quick stat!

I haven't tested (I am your dogmatic believer 😃), but from your comment I understand that whatever is set in prefs, for example network.http.referer.XOriginPolicy, doesn't matter if I am using uM referer spoofing?

[crssi]

I have tested a few scenarios and here are my findings:

/* 1603: CROSS ORIGIN: control when to send a referer [SETUP]
 * 0=always (default), 1=only if base domains match, 2=only if hosts match ***/
user_pref("network.http.referer.XOriginPolicy", 1);

Short explanation:
Here I have web application lets say https://mypage.mydomain.com/
On main page I can click a link (out of many) which opens a new window (in my case na new tab) to the same "domain", lets say https://mypage.mydomain.com/someinfo?id=12345
In this new tab I have additional info of interest.

Test 1:
pref = network.http.referer.XOriginPolicy = 1
uM = referrer-spoof: * true

A new opened page does NOT WORK.

Test 2:
pref = network.http.referer.XOriginPolicy = 1
uM = referrer-spoof: * true, referrer-spoof: mypage.mydomain.com false

A new opened page does NOT WORK.

Test 3:
pref = network.http.referer.XOriginPolicy = 0
uM = referrer-spoof: * true

A new opened page does IS WORKING.

If you have some ideas for additional test case, let me know and I will be happy to try.

Cheers

[crssi]

I am puzzled also, why this case is treated as cross origin when its clearly not?
Maybe FF bug, when the followed new page is opened in a new window/tab?

Just thinking out loud, my maybe "connected with this case" prefs (specially the second one): privacy.firstparty.isolate = false
privacy.firstparty.isolate.restrict_opener_access = true

Need to test.

Update:
Tried privacy.firstparty.isolate.restrict_opener_access = false scenarios, but no joy.

[earthlng]

@crssi your example makes no sense. IF that page is not working it's most likely because it tries to load something from another domain. Just open the network manager and see which requests are failing.

Maybe FF bug, when the followed new page is opened in a new window/tab?

does it work when you open it in the same tab then? I highly doubt it

[crssi]

I haven't express myself best. Page does load, but application says You must open main application window.
Network manager shows no request failing and there is no another domain nor another host.

[earthlng]

can you share the page where this happens?

[earthlng]

and this only happens if you open the link in a new tab?

[crssi]

I cannot share, since its internal application working only on LAN.
The application always opens a new tab/window when clicking on link in the main window.
You can imagine that you have for example list of customers on main window, and clicking on a specific customer opens a new window with that customer details.

[2glops]

options available for SR :
Strict mode = domain and subdomain are considered different hosts
Exceptions = always allow referer (source / destination)
Whitelist source
Rewrite mode

[earthlng]

crickets https://bugzilla.mozilla.org/show_bug.cgi?id=1352653

[crssi]

@Thorin-Oakenpants
I am puzzled now.
Isn't uM referal spoofing control sufficient?
Which limitation, if any, in uM is/are bothering you?

[2glops]

Whitelist source = simple text list, one should be able to write its own list

Rewrite mode as 3 possible sets, but you can't set it on the fly by site, you have to enter configuration page :
send the destination as referer
send nothing, direct hit
send your own choosen referer

If you don't use strict mode, your rewrite mode is applied on the domain basis

[atomGit]

also see #373

also, i stopped using uM recently - i'm running uBO in advanced and using a legacy cookie controller to dispose of storage - feelings are mixed so far, but i'm still testing

[crssi]

It would might be better if uM would have a different kind of implementation for referer spoofing.
What I have in mind is:
added another "referer" column in the swithch panel, beside frame or other.
Then scope would be the "source" and the column square would represent "destination".
green=allow referer
red=spoof referer

and in the config then for example
referrer-spoof: * * true
referrer-spoof: * player.vimeo.com false

This way we could get rid of "Smart Referer" as additional extension. Don't get me wrong here, I am not saying that "Smart Referer" isn't good, but uM could replace it in this case.

What do you think?