Firefox 59 to strip path information from referrer values for 3rd parties

As someone that digs in this data for a living, personally strongly believe this should be on by default for all browsing. The example they give is an insanely bad design for healthcare.gov and I would absolutely not want to find that type of data in my analytics telemetry.<p>It is very useful to know where your traffic is coming from, but that’s usually viewed at a higher level than the querystring params being shown. In some cases, this may restrict you from knowing which article the person was reading on the given site before clicking through to yours, but if that’s so important, there are other ways to instrument source tracking.

&gt; To help prevent third party data leakage <i>while browsing privately</i>, Firefox Private Browsing Mode will remove path information from referrers sent to third parties starting in Firefox 59.<p>Emphasis mine.<p>It only does it in private mode. I experimented with the referrer options mentioned in the article with mixed success. Not sending the referer header breaks some sites and often in a non-obvious way.<p>EDIT: referrer header -&gt; referer header

This one of the reasons I tend to flip completely whenever I see healthcare providers and their suppliers run google analytics tags <i>inside</i> their logged in areas (yes, this really happens). Besides the questionable value of having such tracking inside the logged in areas (it&#x27;s healthcare, they are not going to worry about their conversion rates) such information should simply never leave the premises. Better still if they didn&#x27;t do this in private mode but always. Private mode is still associated with doing something sneaky, rather than that it should be the default.<p>Happy to see FF do the right thing here and I&#x27;m really curious if Google will follow suit. Microsoft and Apple have an opportunity here to show they care about end user privacy than Google.

In about:config, setting &#x27;network.http.sendRefererHeader&#x27; to 0 (default is 2) will stop the referer header from being sent, and the document.referrer from being set. See <a href="http:&#x2F;&#x2F;kb.mozillazine.org&#x2F;Network.http.sendRefererHeader" rel="nofollow">http:&#x2F;&#x2F;kb.mozillazine.org&#x2F;Network.http.sendRefererHeader</a> for more information.

&gt; <a href="https:&#x2F;&#x2F;www" rel="nofollow">https:&#x2F;&#x2F;www</a>. healthcare.gov&#x2F;see-plans&#x2F;85601&#x2F;results&#x2F;?county=04019&amp;age=40&amp;smoker=1&amp;pregnant=1&amp;zip=85601&amp;state=AZ&amp;income=35000<p>For a moment I thought this was an example to make a point…

Whoah, TIL that<p>&gt; EFF researchers discovered this leak of personal health data from healthcare.gov to DoubleClick<p>It blows my mind that a site such as healthcare.gov would include 3rd party trackers. You guys in the US really don&#x27;t care about privacy at all.

If Mozilla genuinely prioritized its users&#x27; interest it would block ads and tracking networks, which are the major way people&#x27;s private information is leaked and also a primary vector for hacking.<p>And yet for some mysterious reason Firefox hasn&#x27;t broken ranks with Google by incorporating ad blocking. Even though its an obvious major feature and Firefox is losing marketshare every year.<p>We know why Google won&#x27;t prioritize the interests of Chrome users but why is the only major independent browser seemingly corrupt in the same way?<p>Mozilla should be helping society by pushing it past an era of internet advertising and the clearly terrible clickbait-fake-news culture it creates. And yet, it does not.<p>Is Google using the money it pays Mozilla to &quot;discourage&quot; Firefox from going forward with ad blocking? As a concerned citizen, I sent an email to antitrust.complaints@usdoj.gov requesting an investigation. Anyone with insider info should send it there.

#1 this should be on by default. I might be missing something, but do sites really need the referrer? What would break if the browser sent the same page as referrer, or google.com&#x2F; or something similar? Is there any value in the referrer to the <i>client</i>? The host can use it for a whole range of reasons - but apart from helping the host, what is the immediate benefit to the client?<p>#2 Won&#x27;t this be possible to bypass simply by encoding more in the domain part of the url than in parameters? So you switch from a.b.tld&#x2F;foo?p=123 to 123.a.b.tld&#x2F;foo ?

Interesting, this is what the Referrer-Policy header is supposed to do, site by site. It make sense to enable it private browsing mode, though... and then you&#x27;ll see how many sites break because they use the Referrer as some kind of authentication mechanism (yes, seen in practice multiple times).

I mean we already have firefox plugins to permanently block the referrer. Which is great. But I applaud Mozilla for going privacy-first in a consumer package. I hope that eventually Mozilla will focus entirely on privacy and make good anti-tracking, anti-ads, anti-referrer, anti-cryptomining all default packages.

E-commerce checkout codes, etc. are the only reasonable form of referral. In other words, if I give you something voluntarily that tells you where I came from, fine; otherwise, why do we have so much auto-leaking built into protocols?

Are there any reasons not to get rid of referers altogether?

You can use the smart-referer addon [0][1] to send a custom referrer string[1]<p>[0]<a href="https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;smart-referer&#x2F;" rel="nofollow">https:&#x2F;&#x2F;addons.mozilla.org&#x2F;en-US&#x2F;firefox&#x2F;addon&#x2F;smart-referer...</a><p>[1]<a href="https:&#x2F;&#x2F;github.com&#x2F;meh&#x2F;smart-referer" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;meh&#x2F;smart-referer</a><p>[2]<a href="https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;1HZQK" rel="nofollow">https:&#x2F;&#x2F;imgur.com&#x2F;a&#x2F;1HZQK</a>

For those who are curious, here&#x27;s some more detail on the various options.<p><a href="https:&#x2F;&#x2F;feeding.cloud.geek.nz&#x2F;posts&#x2F;tweaking-referrer-for-privacy-in-firefox&#x2F;" rel="nofollow">https:&#x2F;&#x2F;feeding.cloud.geek.nz&#x2F;posts&#x2F;tweaking-referrer-for-pr...</a><p>Basically, set the following:<p><pre><code> network.http.referer.(XOriginPolicy|XOriginTrimmingPolicy|trimmingPolicy) to 2 network.http.referer.spoofSource to true network.http.sendRefererHeader to 0 network.sendSecureXSiteReferrer to false</code></pre>

Wouldn&#x27;t this make it obvious that the user is browsing in private mode? While I get that might be preferable to leaking information, its also not an ideal solution either.

Sites like healthcare.gov or banks should not include third party ads or analytics scripts. Referrer is not the only way to leak information from the page.

For the scope of requesting a document, there is no need of referrer nor useragent.<p>A lot of features&#x2F;apps&#x2F;websites have been built around the assumption that this information is sent, but it would be nice to start dropping it by default.

The weird thing about browsers that tries to protect your privacy is how many website will get broken because of this.<p>I managed to disable cookies by default using cookie whitelist, and I counted many website that broke down.<p>I applaud firefox for daring to break website for the sake of privacy, but I&#x27;m waiting for websites to react.<p>Firefox should be even more strict regarding privacy: ask the user if he want to set a cookie, never save history etc.<p>I&#x27;m using the extension that compartmentalize website usage on firefox, and this should be made default.

Color me stupid, but I thought all major browsers already stripped referrer info when navigating from HTTPS? The examples used don&#x27;t make sense to me if that&#x27;s true.

TIL that is an option at all. It&#x27;s there in earlier versions, too, all they did was change the default behavior for Private Browsing mode

Setting `network.http.referer.XOriginPolicy` to `1` in Firefox’s `about:config` is actually a pretty reasonable choice for <i>all</i> browsing, and balances privacy with preventing your favorite sites from breaking.

Flagged this as the headline here and the headline on the blog post do not match, and the one here is not accurate and misrepresents the post.

Why is this being only implemented in private browsing mode and not in the normal mode? IMO, this should be the default.

This might be a dumb question but does whether a site uses SSL have any impact on browser behavior concerning query strings?<p>Seems counterproductive my browser is taking so much care to encrypt my querystrings then leaking them to any host from which the site I&#x27;m visiting happens to pull content.

Or, you could have chosen to not break the RefControl extension, that did this and a lot more.

I disable referers for all browsers. Firefox has them off completely, with Referer Control using a random one for Chrome. I only enable them for sites that absolutely need them (and that I need to use).<p>It&#x27;s simply good data hygiene and privacy.

Uhm, wouldn&#x27;t this give an indication as to whether the user is in private mode?

This feature should be easily implemented by a extension for Google Chrome using the webRequest API

Any other browser doing this? Safari?

For those confused as to why half the comments have &quot;misspelled&quot; referrer, here&#x27;s an interesting bit of history:<p>The misspelling of referrer originated in the original proposal by computer scientist Phillip Hallam-Baker to incorporate the field into the HTTP specification. The misspelling was set in stone by the time of its incorporation into the Request for Comments standards document RFC 1945; document co-author Roy Fielding has remarked that neither &quot;referrer&quot; nor the misspelling &quot;referer&quot; were recognized by the standard Unix spell checker of the period.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;HTTP_referer#Etymology" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;HTTP_referer#Etymology</a>