Just a FYI because some people are complaining that Mozilla is doing something evil or will break all of the web or something. Chrome made the same change a while back:<p><a href="https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default" rel="nofollow">https://developers.google.com/web/updates/2020/07/referrer-p...</a><p>So if this breaks something people probably already noticed. And Mozilla is merely aligning with the browser with the largest market share on this. (Also everyone who wants something different for their sites, it's configurable: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Re...</a> )
Oh, I'll really miss occasionally peeking at AWStats and discovering weird pages pointing at my weird pages :(<p>This subtle aspect of web had been always strangely appealing for me: people leaving trails in access logs and building real "footpaths" network of synapses between HTML <i>documents</i>, across origins. Sad to watch it dying, however beneficial and understandable it is.<p>I feel it didn't have to be this way: maybe if GET wasn't so widely misused recently and generally everybody knew what to <i>not</i> put in URL and acted accordingly, we could have preserved such nice things.
Here's a practical reason for doing this.<p><a href="https://shkspr.mobi/blog/2018/01/mailchimp-leaks-your-email-address/" rel="nofollow">https://shkspr.mobi/blog/2018/01/mailchimp-leaks-your-email-...</a><p>A few years ago, I discovered that referrers from MailChimp let you unsubscribe people from lists, and see their email addresses.
I think there'd be a bit less panic in the comments if the title/headline reflected that the change (as I understand it) applies cross-origin and cross-scheme (http > tls). So if you're preventing hot-linking of assets, this should not affect you (or; you have some control over it via policy):<p>> this new stricter referrer policy will not only trim information for requests going from HTTPS to HTTP, but will also trim path and query information for all cross-origin requests.<p>Seems like a fairly balanced way to protect privacy along with preserving utility?
For anyone who wonders how http referer could ever be a good idea consider the following:<p>I remember when my dad studied to become a teacher. As one of their assignments they had to create a webside. As someone who had recently given up farming I think he wrote about farm animals and linked to some other pages about small scale poultry and similar topics.<p>One day he got a mail from the "webmaster" of one of the sites he linked to that he would have to update his links soon. I remember being really surprised that someone knew my dad had linked to them.<p>Being only 16 or 17 or something I only knew simple html, basic and vb but I knew that html links were one way.<p>I don't think I realized until later what had really happened: this person had looked at their server logs to see where their customers came from, looked up the page and found the email address.<p>Of course this also highlights why the referer is so problematic.
That reminds me that in 1999, looking through the referrer logs, I realized that if the link came in from an Outlook email, Outlook+IE would report the subject of the referring email as the referrer (iirc with user name, something like “mailbox://user@site/subject-of-the-email”).<p>So we started looking for those more seriously in my company, and got quite a bit of interesting Intel from potential investors, competitors we knew about, and some we weren’t even aware of.<p>It was just the subject and user, but was often surprisingly informative.
Nice, I'm using SmartReferer (<a href="https://addons.mozilla.org/en-US/firefox/addon/smart-referer/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/smart-referer...</a>), I'm always happy to drop an extension when Mozilla natively implements the same feature
Doesn't this just push people to more tracking cookies? How are sites supposed to know what sources are driving their traffic? Whether visitors are coming via email campaigns, google, etc?
This made me wonder how to do it now, in Firefox 86. I found this helpful page: <a href="https://askubuntu.com/questions/797135/how-to-disable-http-referrer-in-firefox" rel="nofollow">https://askubuntu.com/questions/797135/how-to-disable-http-r...</a><p>TL;DR about:config --> Network.http.sendRefererHeader --> change value from 2 to 0
We chose not to add referrer to ASPSecurityKit main site [0]. It's a static content site and I think it'd be useful to let other sites know which page (docs/guides/blog) on our site got them a visitor because the content is public anyway. We've applied it on the dashboard though, this same origin-when-cross-origin policy.<p>0: <a href="https://ASPSecurityKit.net" rel="nofollow">https://ASPSecurityKit.net</a>
Google largely killed this when they moved to https by default, but I missed reviewing what search terms visitors used to visit my site and then creating content to answer their actual questions, instead of guessing.<p>But the web was a much smaller place/time back then.<p>Oh, and seeing people search for my uncommon name...
I'm surprised it took this long, and it's still not completely gone. I've never understood the history of why http referer exists (original intent) or why the user would benefit from sharing it.
So if someone does want to use http referrer for any reason (e.g. only load a certain asset if coming from internal URL/specific referrer), what needs to be done ?
Would it really break that much to just get rid of referrer altogether? I would miss it on my personal site (self hosted, Foss analytics, no google analytics there), but it wouldn't actually break anything.
That's going to break lots of older sites using Referrer for navi state. These will now either have to use query params, cookies, or JS instead. Not to mention easy affiliation links.
As a user I love stricter privacy. As a developer working for a platform company whose content (video) is embedded by thousands of websites, I hate this particular change:<p>- more difficult to analyze weird / fraudulent embedders<p>- more difficult to debug issues ("what's the sample URL to repro? no sample URL in logs, only top-level of the domain, but I don't find our embed anywhere ¯\_(ツ)_/¯")<p>Funny thing: you can't just tell your embedding partners to change the embed code and use `referrerpolicy=...` on the iframe, to expose the full URL, because it's not GDPR-compliant apparently. So you need user's consent first. But how do you obtain user's consent before you render HTML on the server? :) ("GDPR wall" is not compliant either)<p>Life sucks, I guess. But it's for greater good, and I guess the companies will somehow survive.
Wish i was able enough to help Web servers cull http and be https per default rather than offer complex alternatives that are often hard and multi step to implement.
Does Firefox 87 still make my MBP a toaster when I turn on a Zoom call through Firefox?<p>Power usage for same streaming video call on Safari vs. Firefox.<p><a href="https://i.imgur.com/I7T19d0.png" rel="nofollow">https://i.imgur.com/I7T19d0.png</a>
Isn't this going to break campaign tracking for Adwords etc.<p>Not exactly what the actual risk is to privacy here does seem there is a lot of bandwagon jumping going on - a bit like "Elf & Safety" or the Data protection act is trotted out when an organisation wants an excuse not to do something.
Will Firefox trim their own header additions when searching?<p>e.g. here's the page that Firefox generates when I try to search "Dragon Quest XI" in a Private Window on Amazon via the address bar:<p><a href="https://www.amazon.com/s?k=dragon+quest+xi&link_code=qs&sourceid=Mozilla-search&tag=mozilla-20" rel="nofollow">https://www.amazon.com/s?k=dragon+quest+xi&link_code=qs&sour...</a><p>Note the 'mozilla-20' tag at the end.
I don't understand what Mozilla does to Firefox anymore. What does it mean a page "can" leak private data?<p>Is there any story about anyone affected by the issue? Does this issue even exist?<p>It is just breaking another piece of the open web.<p>It just seems like Mozilla not only surrendered in gaining browser market but also actively acts against open web.<p>I thought website creators and website users should be in charge of what they want to do. But it seems no. Now Mozilla decides what web standards can be broken.<p>I'd maybe applaud changes by Mozilla, but with all of these efforts it is not aimed in gaining more users. Firefox does not gain users with such actions. It does not make any sense what is the aim of Mozilla anymore with Firefox.