Configurable referer switch or behavior change #24
Comments
|
Outright removing a referrer header can also cause issues: gorhill/httpswitchboard#222. |
That's on facebook only, you cannot conclusively conclude that this will work for all the websites that host videos. Not to mention, websites can add their own referrer policy too, in that case this will also not work and you will back to disabling the switch or trying spoofing to make it work. |
I didn't say anything like that. But appearance of referrer-policy means that removing behavior will be more normal than earlier, which probably will result in less breakage now.
Referrer policy on site A doesn't mean that site B resources won't work with different policy. Even if they are related to each other. If that was true, then in times before referrer-policy sites wouldn't work with both spoofing and removing, because default referrer behavior was "send full referer in all cases". But spoofing often worked fine, same as removing header, though less often probably.
Yep, but that's not worse, that's better, right? You have more flexibility and need to disable switch completely only if both variants are not working. |
But you did postulate this feature request based on facebook's case only, hence my first response was on that.
It's true in the case of
It would if the website admin decides to enforce a referrer policy and this turns just like that anti adblock war. So the possibility does exists. Take the example of facebook itself. I have been using facebook with referrer spoofing enabled for more than a year and the videos played just fine, however in the last couple of days, they decided to enforce a referrer policy and that lead to #19 and #20 being filed here. I'm not against this feature to let you know, but it will not make a major difference in general to what the current state is. |
uBlock-user
changed the title
|
Video plays fine without having to turn Referrer switch to off, seems like the issue was on facebook's end. |
Prerequisites
Description
Related to #19 and #20 concerning web breakage and to gorhill/uMatrix#773 concerning security.
Is it possible to make referer switch configurable to either spoofing or completely removing? Or maybe just change spoofing behavior to removing header?
I think first reasons for uMatrix are always privacy and security (web breakage is expected). As mentioned in gorhill/uMatrix#773, removing referer is more secure, because some sites may check referer for CSRF-reasons (there is now https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ and maybe other things for this, but legacy is legacy). Same goes to privacy: considering appearance of https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy, sites now can tell browsers to strip or remove referers to third-party (but not to spoof), so removing should be less standing out than spoofing.
Breakage is less important, but I think removing referer will also become less breaking as time goes on. Example is facebook video in previous issues.
A specific URL where the issue occurs
https://www.facebook.com/nos/videos/2241787655836780/
Steps to Reproduce
Supporting evidence
Your environment
The text was updated successfully, but these errors were encountered: