Excellent. I know you, Mozilla guys, are on HN, so a question.
Any ETA for allowing to block Referer header from being included in cross-origin requests? If I'm on the page that pulls down something from Google Fonts, I see no reason why I should be sharing with Google the URL of the page I'm visiting.
First, there are already multiple Firefox extensions that will let you totally control the Referer header. (In general, if there's something that you want to change about Firefox, you should search https://addons.mozilla.org to find a solution, because somebody's probably already created an extension that does what you want.) I think one such extension is called "RefControl."
I also brought up the issue on Mozilla's dev.privacy mailing list [1] recently. See:
In general, we cannot block the Referer header by default on cross-origin requests because we know that would break too many websites. My proposal is to strip the Referer header down to just the origin + '/', e.g. http://example.org/ instead of http://example.org/foo?search=whatever+you+searched+for.
I think it will be difficult for us to go further than that in the default configuration any time soon (and, as you can see in that thread, there's even some pushback to my extremely reasonable proposal).
Also, I know there is active work happening to bring extra control over the Referer header to Firefox's built-in prefs. This seems to be a little bit in conflict with our "Checkboxes that kill" project so I'm not sure how it will turn out.
FWIW, I just followed your advice, searching Firefox Addons for "Referer". The results were not helpful at all for the goal abcd_f mentioned of blocking cross-site referrers. [Edit: Sorry, it looks like I mistyped "Referer". There is at least one promising addon on the first page.]
Also FWIW, I agree that this is indeed becoming a significant privacy issue. I too don't see why Google or Typekit or some widely used CDN should be gifted a convenient history of my web browsing just because they host popular JavaScript libraries or web fonts.
I'm intrigued by this comment:
In general, we cannot block the Referer header by default on cross-origin requests because we know that would break too many websites.
Is this because some of the third party resources are only authorised for use by certain sites and rely on Referer to establish whether a given request qualifies? Given that there is no security or verification for Referer headers, that seems like a rather broken model to start with.
I can't help thinking that if one of the big browsers forced the issue then those services would have to reconsider and do things a smarter way. That seems likely to inherently reduce the amount of unnecessary information being passed across to those third party services in the first place.
> Is this because some of the third party resources are only authorised for use by certain sites and rely on Referer to establish whether a given request qualifies? Given that there is no security or verification for Referer headers, that seems like a rather broken model to start with.
It's just a first-order approximation to defend against hotlinking. Disabling referes wholesale has mostly worked out for me (via about:config, not an extension), but very rarely I have to turn them back on or switch to a backup browser profile or whatever.
But if you're linking to an image on your own site from your own site, the proposal not to send Referer headers across domains to third parties wouldn't do any harm.
In other words, if your interest is in blocking unauthorised hotlinking, can't you just assume anyone who doesn't include a Referer is equivalent to someone sending a Referer from a malicious site and decline the request?
Sure, that works in many cases. It's also fairly typical to host static-ish content on another domain though, in that case you would have to inspect the referer header, or otherwise conspire with your "main" domain.
Ah I didn't even know that was a thing. I think I am so used to the misspelling that I didn't even realise - the only place I regularly come across the word is in reference to HTTP.
Any ETA for allowing to block Referer header from being included in cross-origin requests?
This feature has been supported in Firefox for a long time, but you have to set it in about:config via the "network.http.sendRefererHeader" integer.
2 = always send
1 = send only to same FQDN (what you seem to want)
0 = never send
IMO this is one of the best bang-for-your-buck privacy configurations. I would love it if Mozilla changed the default from 2 to 1, and at the least, it SHOULD be an option under the Preferences -> Privacy tab.
But a request is still a request. It might not make sense to include referer data in the case you mentioned but that does not mean every cros request will fit that description.
Give me an example where sending a Referer is essential to providing me as a user with a better experience.
There are no such cases, period. Also, with an exception of dumb content protection schemes (anti-hot-linking), Referrers are used exclusively for tracking purposes and carry zero positive benefits for the users. If Mozilla is in fact "passionate about putting its users first", these headers must go. It is as simple as this.
Anti-hot-linking may be dumb to protect the content, but it's very useful to protect others from abusing sites as if they were free image hosters.
I run a small site, and we would occasionally get hotlinked by random people searching for images on Google, which would kill our bandwidth caps. If it weren't for referer filters, we'd have to hide any image for unregistered users.
That said, keep just first-party referers would be fine - we'd just block any image request without referer.
I don't think the referer info is ever really essential but here are some possibilities:
1) If you came from a social media site, maybe I'd highlight that particular social sharing option in a share bar, or hide others.
2) In an e-commerce store, maybe Google sent you to some page on my site that isn't really the best for your search term (product discontinued, other better matching product), I can give you a link to that other page. Google isn't necessarily magical in its ability to pick the best page on a site for a specific term. Maybe if you come from a competitor I can highlight some content that compares my product to the competitor's.
3) I've never derived a ton of benefit from it, but some sites will highlight your search term for you on a page. It could possibly also automatically scroll you to a relevant section if it's a long page and what you searched for is an exact match for some subsection.
In general it can be a valuable data point sites can use to improve the end-user experience. That being said, I can't think of anything where the value really outweighs the potential for abuse, but I think saying that it has no value to the user is short-sighted.
Isn't the Referrer header what Google Analytics et. al. use to tell you how people are finding pages on your site? Seems like that could be quite useful for a webmaster to learn more about his audience, tailoring his content to better fit the traffic coming from those sources and identifying other sites that might be abusive (e.g. scraping his content).
Any ETA for allowing to block Referer header from being included in cross-origin requests? If I'm on the page that pulls down something from Google Fonts, I see no reason why I should be sharing with Google the URL of the page I'm visiting.