-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
discussion: redo 1600s referers section (& new prefs in 52+53) #5
Comments
The blog from Scott Helme talks about the Referrer-Policy header. The header can be implemented by web developers on their site to control the referrer behavior on their domain. basically it belongs near the category of headers like the CSP (content security policy). I would assume where the settings conflict, the option where the least amount is send wins. Note I have not read the standard but I suppose at the moment it's a bit of an undefined behavior where the browser vendors can decide what takes precedence. I agree on using an extension like Smart Referer. I guess FF preferences and the extension can compliment each other. |
The 2nd of the new prefs is now fixed for FF53. All it does is "If request’s referrer policy is the empty string, then set request’s referrer policy to "no-referrer-when-downgrade". (by default) |
If I have the 'network.http.sendSecureXSiteReferrer' = false, then aliexpress.com login page does not work. cheers |
So I see three worthwhile recommendations:
Note that restricting the referrer on the same site doesn't really buy you anything because a site can always see you in their access logs. So |
uMatrix handles smart-referer has a whitelist.txt acting as a workaround for troubling sites. |
"Deprecated" usually means it's still there but not for long and you should stop using it. It's the step before the actual removal :)
The values are "documented" in
|
Note that, as I mention briefly in my referrer blog post, spoofing increases your exposure to cross-site request forgeries. Some sites use the referrer header to detect POST requests originating from other sites and block them. By spoofing, you enable the attackers to work-around this protection. A more secure (and equally privacy-protecting) option is to strip cross-origin referrers and leave same-origin referrers alone ( |
"By spoofing, you enable the attackers to work-around this protection." I think if we set at least one of the referer-prefs we should also enforce the default values for every other ref-pref. I suggest we set |
Observations... I have tested for now functionality on login page at aliexpress.com: https://login.aliexpress.com/ Those settings are most restricted where aliexpress.com login still works: I have not drilled down yet if this makes any senses and if some setting exclude any other or even nulls the idea totally. |
@crssi, thank you, but there's probably some overlap with a few of them.
I've come to the conclusion that we should only set XOriginPolicy to 1, so less breakage, maybe with a note to set it to 2 for people who don't mind the occasional breakage, and to enforce the default values for everything else. If something breaks it would be only 1 pref they'd need to temporarily change. changing XOriginTrimmingPolicy only causes unnecessary breakage when XOriginPolicy is set to 1 or 2. With all the todos because of the move to github I think we will deal with all ref-prefs when FF52 is released, but if you would like to help out until then, it would be very helpful if you set XOriginPolicy to 1 and leave everything else on default and test if you encounter any more breakage. I suspect it should be just fine and not cause any breakage, and if you could confirm that, it would help me to convince Pants to include XOriginPolicy = 1, finally ;) |
@fmarier Can you elaborate on that? How does that any good for PB when a site is in full control of it? Is it enforced in PB or how does that work? I don't understand how one pref can do one thing in normal mode and something else in PB. Especially since it doesn't really do anything in the first place. ps. Thank you so much for participating in our little project here! I never imagined we would ever have 'direct access' to a freakin' Security Engineer from mozilla! #mindblown |
@earthlng Yes, I am on FF51. |
@earthlng Feel free to add some, if I have missed it: |
@crssi a life came in between - meaning you had a baby?? in that case - Congratulations my friend! Otherwise, it would be great if you only set You're still well-protected with that one pref only, because it doesn't send any ref-headers to 3rd party sites:
|
@earthlng Lol, no. I already have a few kids, little devil gems :). Will do the suggested settings, make the referral tests and test the sites. |
@earthlng OK, I am back and you were right.. everything on default and only |
There are multiple ways to make users safer on the web. For example:
As a user, if you set the maximum referrer to
I'm also a privacy nerd at heart, so I would be interested in this project even if I weren't working on Firefox :) |
I have been using I also think that |
|
|
@crssi no, you don't need
Yes, that's correct afaik |
👍 @fmarier url. 1600: An extension could be proposed here? As https-by-default.
https://github.com/Rob--W/https-by-default#firefox |
Yes, if you don't trim, then you get the full URI (unless the browser would already trim it or suppress it like when it's an HTTPS-to-HTTP downgrade). The only thing that's not quite right IMHO is the guidance around Do Not Track. While it is widely ignored, there are a few popular sites / frameworks that do actually honor it and reduce the amount of tracking they do server-side when they see it: Twitter, Medium.com and also Piwik (Open Source analytics package). Given it's a single bit of entropy (on / off) and that it helps on some popular sites, I personally choose to leave it ON. Also I think you can omit |
@fmarier @pants, if I understood @fmarier's comment correctly, he said to either set IMO we should also enforce 1606, and maybe even set it to 2 instead of 3. |
@pants, I think you can remove the |
We can also include |
That's required by the DNT specification. It's intended to be a signal that the user sends to the site. If it were the default, then it wouldn't be a signal because it would be more likely that the user doesn't know anything about DNT and simply didn't change the defaults. We did however choose to turn it on when the user has tracking protection enabled. By turning on tracking protection, the user is sending a signal that they don't want to be tracked, so it makes sense to also send that through the DNT header.
Not sending referrers when going from HTTPS to HTTP is the default behavior of all browsers.
It's only looking at the hostname and not the scheme.
That's a partial feature flag that's likely to be removed later. There's no harm in setting it to its default value, but it's not a particularly useful user control. It allows sites to trim the referrer on links and images for example, on an individual basis. |
it does
it doesn't |
|
@fmarier, then why is there a need for things like |
Because we need a name for the default behavior :)
Because it sends the full URI as the referrer in all cases other than HTTPS-to-HTTP. We want sites to be able to opt into sending less information in their referrer if they want to.
A site cannot ask for more referrer than what the user allows via |
no,
|
@fmarier, you miss-understood my question.
Yes, I totally understand that, but even with |
The main reason why the referrer policy allows sites to work around the default restriction (the one that prevents HTTPS-to-HTTP referrers) is that it's preventing some sites from switching their main site to HTTPS. It's possible we'll be able to remove this ability later once HTTPS adoption (and HTTP deprecation) has progressed further.
First of all, just to be clear on the terminology, Secondly, despite the name, So if you have a page on
|
Not sure if relevant but there is a Google Chrome plugin called Referer control: https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin |
If
So that confirms why I thought we shouldn't set |
Love your commit :)
|
Yes, that's even better. But needs some clarification, like what does Option 2: As per the settings below: Set XOriginPolicy (1603) |
I can deal with a lot of breakage and don't mind doing it, if it helps security/privacy/etc but Option1 ("our" recommended option) is not something I personally would even want to do. And it is so "breaking" that there's also the risk that users will end up allowing way too much permissions. fe. facebook.com > send referer everywhere. And hence they end up less protected than using option 2 or 3 instead. But anyway, I see that you edited your proposal and it's fine. (is it "to set at" or "to set to"? - i think it's "leave at" and "set to", but that's just nitpicking on a high level :) ) |
afaik it can not be "read" but it can certainly be observed by a website in their logfiles. They won't know which pref or addon you use to spoof, trim or remove the Referer but they will know that you do and which one of the 3 it is. The guy who asked the question said he removes the header anyway so that overwrites all the other prefs, including
The referer policy header is sent by the server, not the client. But if a https site (without a Referer Policy header!) embeds an image from one of their own (sub)domains over HTTP instead of https then the default value (3) for |
What @earthlng said is right. The value of the pref isn't directly visible to websites, but it can be inferred to some extent based on the effect that it has in trimming or suppressing the referrer. The same is true of all of the of the other referrer prefs. A site can tell that something is filtering the referrers, but they can't tell exactly what it is. It could be a proxy server for example. |
Once it's fixed Negotiator should be able to do that |
|
^^ A network glitch. |
The 1600: Referers section needs some love. We have some changes coming up in the next release (52). These are
Deprecated in 52+
1601:
network.http.sendSecureXSiteReferrer
New in 52+ (currently in section 9999)
// 1600's: restrict the contents of referrers attached to cross-origin requests (FF52+)
// 0- 1- 2-scheme+hostname+port
// user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
// 1600's: default referrer fallback override? (FF52+?)
// 0-no-referer 1-same-origin 2-strict-origin-when-cross-origin
// 3-no-referrer-when-downgrade (default)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1304623
// user_pref("network.http.referer.userControlPolicy", 3);
I also came across this article released today: https://scotthelme.co.uk/a-new-security-header-referrer-policy/ which nicely describes what each type of referer does exactly. Might be a good ref for you @pyllyukko
The 1600's section currently has only one active pref, and recommends using an add-on. In 52, it could be completely inactive - this doesn't seem right - surely some of these 7 prefs by default could be tightened up? And I think the section still needs better explanation (It's getting a bit confusing). I don;t mind losing all the numbering and starting from scratch, so it's logical. @fmarier 's opinion here would be great. Especially what the inactive defaults should be. Do we set them at FF defaults, or at most private or at a balance for less site breakage - and the new ones, what do we do with those: the first of which I have not filled in what 0 or 1 means, and I'd also like someone else to confirm what I already have is ok/right, including the descriptions.
The text was updated successfully, but these errors were encountered: