Referer Path Stripping in Private Browsing Mode in Firefox 59

Luke Crouch gave us an fantastic article about the future of Firefox and how it’s handle the ‘referer’ problem – these leaks usually reveal sensitive information, such what page you visited before. This is pretty a critical thing because such information are also often used by ads, which then gathering information about what you like and what you not like, because you might click on product x more than on other products.

Sadly by default the mode is only enabled in the Private Window, for no reason.

Protection against such data leaks?

• You can upgrade to Firefox 59 and optimize your about:config so that your traces are let less.
• Install addons like adblock/ublock which might remove the original information or simply block every external request made by it.

Optimal about:config settings

network.http.sendRefererHeader
        2 = (default) send on all requests (e.g. images, links, etc.)
network.http.referer.trimmingPolicy
        1 = send the URL without its query string
network.http.referer.XOriginTrimmingPolicy
        2 = only send the origin
network.http.referer.XOriginPolicy
        0 = (default) send the referrer in all cases
network.http.referer.spoofSource
    true = send the target URL as the referrer
network.http.referer.userControlPolicy
        2 = strict-origin-when-cross-origin
network.http.referer.hideOnionSource
    true - strip out the referrer when it's a .onion address

It basically sends a spoofed referer all the time and more detaila when the same origin is used, less detaila when cross origin. So, you never leak any real data but you always supply a referer because a bunch of stupid websites still require it to work properly but you can totally just tell them you just came from the page you’re going to. More details can be found here.

There are stronger settings you could use but it simply breaks too much and these are the most optimal settings without getting any troubles.

Private Browsing Window nonsense

Why Every Browser has such a mode is beyond me, Chrome has it’s ‘Incognito Mode’ and Firefox has the ‘Private Window’ in my eyes this is totally a waste, because people should get the best possible security they can get streight from the beginning and not with seperate options and confusing features.

Such features wasting also a lot of developer resources and the code gets bigger, instead the Browser developer should try to reduce the code as much as possible which then would it make easier to do an audit – and less code loads a lot of faster, so it would be a win-win situation. Now we have some half-cooked browser with options only a hand of people are aware off and at the end no one uses it because it’s not compfortable enough and the source code gets bigger with such a mess, not what I expect.

A Browser is one of the most used if not the most used app on your PC and it must be made as secure as possible without any compromises – period. Private Windows and about:config tweaks are just cancer and a waste of time for people which not having the time to mess with this (so basically everyone except nerds) because no one heard of it – Ask your Mom what about:config tweak she uses I bet she will say “What?”.