Skip to content
This repository has been archived by the owner on Jul 21, 2021. It is now read-only.

[FYI] Spoofing Referrer headers in uMatrix #773

Closed
Atavic opened this issue Apr 28, 2017 · 2 comments
Closed

[FYI] Spoofing Referrer headers in uMatrix #773

Atavic opened this issue Apr 28, 2017 · 2 comments

Comments

@Atavic
Copy link

Atavic commented Apr 28, 2017
edited
Loading

referrer-spoofing is explained in the Wiki. In the last sentence:

[...] the referrer will be spoofed using the http://www.example.com/ string.

The referrer here is also stripped down to the minimum for a correctly working and privacy-aware browsing.

@fmarier's post Tweaking Referrers For Privacy in Firefox goes indepth about the Referer header.

A more secure option is to strip cross-origin referrers and leave same-origin referrers alone.

arkenfox/user.js#5 (comment)
@gorhill
Copy link
Owner

gorhill commented Dec 9, 2017
edited
Loading

After reading the blog post, it does seem to me that uMatrix could treat non-GET requests differently for referrer-spoofing purpose: remove the Referer header instead of spoofing it -- keeping in mind that uMatrix spoof the referrer only when it is 3rd-party to the navigated-from site, so the referrer header would not be removed if it is 1st-party.

@Atavic
Copy link
Author

Atavic commented Dec 9, 2017

Optimal choice.

gorhill added a commit that referenced this issue Dec 9, 2017
@gorhill
fix ##773 + added logger output for CSP modification
8608b29
@gorhill gorhill closed this as completed Dec 9, 2017
@Remu-rin Remu-rin mentioned this issue Jun 12, 2018
Open
6 tasks
@troy-lamerton troy-lamerton mentioned this issue Sep 2, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gorhill @Atavic