-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spoof or block HTTP referral header #1663
Comments
Duplicate of gorhill/uBlock#3604 |
@uBlock-user Would you mind leaving open this one instead? Discussion is locked on the old issue tracker. |
You just commented here, so no need to keep it open. |
Right, but it gets confusing if all discussion happens under a closed issue. If not no worries. |
I was looking at this one recently and investigated what could be done, and came to the conclusion the safest approach would be to simply expose the setting |
@gorhill Since uMatrix is not supported anymore, it would be nice to have the same per-site switch "Spoof Referer header" in uBlock. |
Note that Firefox and now Ungoogled Chromium allow disabling the referer in their flags. |
@J-James I heard that but it would be nice to have a per-site setting so we can quickly disable it for a site only if there is an issue. Blocking the Referer HTTP header can also be done with an addon like Header Editor (which supports request and response headers) but it is less convenient than the uMatrix switch. |
Prerequisites
I tried to reproduce the issue when...
Description
(The issue is present after disabling uBlock Origin in the browser.)
The HTTP referral header leaks potentially identifying and frequently unwanted information about the user.
A specific URL where the issue occurs
https://www.google.com/search?q=test+your+referrer+url+vividata
Steps to Reproduce
Expected behavior
uBlock Origin could add blocking the HTTP referral header as a privacy setting.
There is (to my knowledge) no upside to the referral header, from a user experience.
Actual behavior
The referral header is not blocked or spoofed, and sites can find out the previous page you visited. This has privacy implications, particularly around fingerprinting - but more generally, it's just excess information that is usually used in a bad way.
Here's an example of the referral header being used for malicious purposes (click on the article link, potentially NSFW): https://news.ycombinator.com/item?id=3132752
uBlock Origin version
1.36.2
Browser name and version
Ungoogled Chromium 91.0
Operating System and version
Arch Linux 5.12
The text was updated successfully, but these errors were encountered: