Skip to content

Commit

Permalink
disable network.http.referer.spoofSource (breaks all websites relying…
Browse files Browse the repository at this point in the history 
… on referers; even for internal use), set network.http.referer.XOriginPolicy to 2 (only send referers on same subdomain)

there is no security/privacy value in hiding referers on same-origin requests as they will be logged server-side anyway
  • Loading branch information
@nodiscc
nodiscc committed Aug 15, 2020
1 parent f37ebbb commit 59cce16
Showing 1 changed file with 7 additions and 7 deletions.
14 changes: 7 additions & 7 deletions user.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -725,18 +725,18 @@ user_pref("security.sri.enable", true);
// NOTICE: Do No Track must be enabled manually
//user_pref("privacy.donottrackheader.enabled", true);

// PREF: Send a referer header with the target URI as the source
// PREF: Send a referer header with the target URI as the source (DISABLED)
// https://bugzilla.mozilla.org/show_bug.cgi?id=822869
// https://github.com/pyllyukko/user.js/issues/227
// NOTICE: Spoofing referers breaks functionality on websites relying on authentic referer headers
// NOTICE: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
// NOTICE: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
// NOTICE-DISABLED: Spoofing referers breaks functionality on websites relying on authentic referer headers
// NOTICE-DISABLED: Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon
// NOTICE-DISABLED: Spoofing referers disables CSRF protection on some login pages not implementing origin-header/cookie+token based CSRF protection
// TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs
user_pref("network.http.referer.spoofSource", true);
//user_pref("network.http.referer.spoofSource", true);

// PREF: Don't send referer headers when following links across different domains (disabled)
// PREF: Don't send referer headers when following links across different domains
// https://github.com/pyllyukko/user.js/issues/227
// user_pref("network.http.referer.XOriginPolicy", 2);
user_pref("network.http.referer.XOriginPolicy", 2);

// PREF: Accept Only 1st Party Cookies
// http://kb.mozillazine.org/Network.cookie.cookieBehavior#1
Expand Down

0 comments on commit 59cce16

Please sign in to comment.