Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spoof or block HTTP referral header #1663

Closed
8 tasks done
omentic opened this issue Jul 18, 2021 · 8 comments
Closed
8 tasks done

Spoof or block HTTP referral header #1663

omentic opened this issue Jul 18, 2021 · 8 comments
Labels
duplicate This issue or pull request already exists

Comments

@omentic
Copy link

omentic commented Jul 18, 2021

Prerequisites

I tried to reproduce the issue when...

  • uBO is the only extension
  • uBO with default lists/settings
  • using a new, unmodified browser profile

Description

(The issue is present after disabling uBlock Origin in the browser.)

The HTTP referral header leaks potentially identifying and frequently unwanted information about the user.

A specific URL where the issue occurs

https://www.google.com/search?q=test+your+referrer+url+vividata

Steps to Reproduce

  1. Open the specific url above.
  2. Click on the first link in the search results: https://members.vividata.ca/test-your-referrer-url/
  3. Observe that the previous site can be found from the HTTP referrer.

Expected behavior

uBlock Origin could add blocking the HTTP referral header as a privacy setting.

There is (to my knowledge) no upside to the referral header, from a user experience.

Actual behavior

The referral header is not blocked or spoofed, and sites can find out the previous page you visited. This has privacy implications, particularly around fingerprinting - but more generally, it's just excess information that is usually used in a bad way.

Here's an example of the referral header being used for malicious purposes (click on the article link, potentially NSFW): https://news.ycombinator.com/item?id=3132752

uBlock Origin version

1.36.2

Browser name and version

Ungoogled Chromium 91.0

Operating System and version

Arch Linux 5.12

@uBlock-user
Copy link
Contributor

Duplicate of gorhill/uBlock#3604

@uBlock-user uBlock-user marked this as a duplicate of gorhill/uBlock#3604 Jul 18, 2021
@uBlock-user uBlock-user added the duplicate This issue or pull request already exists label Jul 18, 2021
@omentic
Copy link
Author

omentic commented Jul 18, 2021

@uBlock-user Would you mind leaving open this one instead? Discussion is locked on the old issue tracker.

@uBlock-user
Copy link
Contributor

Discussion is locked on the old issue tracker.

You just commented here, so no need to keep it open.

@omentic
Copy link
Author

omentic commented Jul 18, 2021

Right, but it gets confusing if all discussion happens under a closed issue.

If not no worries.

@gorhill
Copy link
Member

gorhill commented Jul 18, 2021

I was looking at this one recently and investigated what could be done, and came to the conclusion the safest approach would be to simply expose the setting referrersEnabled as a global privacy setting.

@baptx
Copy link

baptx commented Jul 22, 2022

@gorhill Since uMatrix is not supported anymore, it would be nice to have the same per-site switch "Spoof Referer header" in uBlock.
Related: gorhill/uBlock#3604

@omentic
Copy link
Author

omentic commented Jul 22, 2022

Note that Firefox and now Ungoogled Chromium allow disabling the referer in their flags.

@baptx
Copy link

baptx commented Aug 5, 2022

@J-James I heard that but it would be nice to have a per-site setting so we can quickly disable it for a site only if there is an issue. Blocking the Referer HTTP header can also be done with an addon like Header Editor (which supports request and response headers) but it is less convenient than the uMatrix switch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests

4 participants