Skip to content

Commit

Permalink
add network.http.referer.XOriginPolicy: 2 in addition to referer spoo…
Browse files Browse the repository at this point in the history
…fing:

Users wanting to disable referer spoofing to workaround listed problems will still be protected against disclosing previously visited pages to target domains when clicking on a link
  • Loading branch information
nodiscc committed Mar 15, 2017
1 parent b70f602 commit fe7555a
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
4 changes: 3 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,8 @@ HTTP protocol related entries. This affects cookies, the user agent, referer and
* Enable CSP 1.1 script-nonce directive support [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=855326) ]
* Enable Content Security Policy
* Enable Subresource Integrity [ [1](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) [2](https://wiki.mozilla.org/Security/Subresource_Integrity) ]
* Send a referer header with the target URI as the source [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=822869) ]
* Send a referer header with the target URI as the source [ [1](https://bugzilla.mozilla.org/show_bug.cgi?id=822869) [2](https://github.com/pyllyukko/user.js/issues/227) ]
* Don't send referer headers when following links across different domains [ [1](https://github.com/pyllyukko/user.js/issues/227) ]
* Accept Only 1st Party Cookies [ [1](http://kb.mozillazine.org/Network.cookie.cookieBehavior#1) ]
* Make sure that third-party cookies (if enabled) never persist beyond the session. [ [1](https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/) [2](http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly) [3](https://developer.mozilla.org/en-US/docs/Cookies_Preferences_in_Mozilla#network.cookie.thirdparty.sessionOnly) ]

Expand Down Expand Up @@ -378,6 +379,7 @@ Hardening your often implies a trade-off with ease-of-use and comes with reduced
* Do No Track must be enabled manually
* Spoofing referers breaks functionality on websites relying on authentic referer headers
* Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
* Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
* Blocking 3rd-party cookies breaks a number of payment gateways
* You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941
* Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27)
Expand Down
6 changes: 6 additions & 0 deletions user.js
Original file line number Diff line number Diff line change
Expand Up @@ -511,11 +511,17 @@ user_pref("security.sri.enable", true);

// PREF: Send a referer header with the target URI as the source
// https://bugzilla.mozilla.org/show_bug.cgi?id=822869
// https://github.com/pyllyukko/user.js/issues/227
// NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers
// NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
// NOTICE: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
user_pref("network.http.referer.spoofSource", true);

// PREF: Don't send referer headers when following links across different domains
// https://github.com/pyllyukko/user.js/issues/227
user_pref("network.http.referer.XOriginPolicy", 2);

// PREF: Accept Only 1st Party Cookies
// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
// NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways
Expand Down

0 comments on commit fe7555a

Please sign in to comment.