Always send a referer but spoof it first

[fmarier]

Blocking referers breaks some sites, but these sites will happily accept a
spoofed one.

[pyllyukko]

I would prefer to leave the referer completely disabled. I tested this with both (yes, a total of two:) sites, that I know requires the referer and it wasn't enough for the other.

So my impression is, that there actually isn't that many sites that really requires this. What's your impression on this?

We could still have this as an option (commented out by default and with instructions), or something similar.

[fmarier]

I tested this with both (yes, a total of two:) sites, that I know requires the referer and it wasn't
enough for the other.

Interesting. What's the site that it doesn't work on?

It works on launchpad.net for me.

[pyllyukko]

Unfortunately, I can't reveal what that site is, so you'll just have to take my word for it. I just recalled, that https://gpodder.net/ also checks the header and your settings did work for that also.

I'm still thinking what would be the best approach for this.

[fmarier]

No problems. If you do find a site that doesn't work with spoofSource and that you don't mind revealing, please let me know, I'd be very interested to dig into it and see if we can make it work in Firefox with spoofing somehow.

In terms of what the default should be for your user.js, my thinking for suggesting spoofSource was that:

1. spoofSource makes a few sites work that won't work when the referer is blocked entirely
2. given that the real referer is thrown away and that a site just receives its own URI in there, spoofSource doesn't leak any more information than sendRefererHeader == 0

[pyllyukko]

Yeah, I think we can make this the default. As this still enables few more sites and makes browsing a bit less of a hassle.

BTW. I noticed that IMDb's login screen does the checking also and requires also network.http.sendRefererHeader == 2.

Thanks.

[pyllyukko]

I think @fmarier had good reasoning for this and this is something that doesn't necessarily need any changing. Now it sends it and spoofs it, which works quite nicely and doesn't leak information. I've been thinking of changing the network.http.sendRefererHeader == 2 to fix the few logins that require it.

Also, even though the extension list is already quite excessive, I'd like to keep it to minimum and have only those extensions that are absolutely necessary. As you also stated in #16.