Mozilla Firefox tweaks Referrer Policy to shore up user privacy
Mozilla Firefox will soon include a revised Referrer Policy to tighten up queries and better protect user information.
Firefox 87, due to ship on March 23, will cut back on path and query string information from referrer headers “to prevent sites from accidentally leaking sensitive user data.”
In a blog post on Monday, developer Dimi Lee and security infrastructure engineering manager Christoph Kerschbaumer said the latest browser version will include a “stricter, more privacy-preserving default Referrer Policy.”
Browsers send HTTP Referrer headers to websites to indicate which location has ‘referred’ a user to a website server. Full URLs of referring documents are often sent in the HTTP Referrer header with other subresource requests, and while this may contain innocent information used for purposes including analytics, private user data may also be included.
Referrer policies aim to protect this data, but if no policy is set by a website, this often defaults to “no-referrer-when-downgrade,” an element that Firefox says does trim down the referrer when navigating to a less secure resource, but still “sends the full URL including path and query information of the originating document as the referrer.”
“The ‘no-referrer-when-downgrade’ policy is a relic of the past web, when sensitive web browsing was thought to occur over HTTPS connections and as such should not leak information in HTTP requests,” the team says. “Today’s web looks much different: the web is on a path to becoming HTTPS-only, and browsers are taking steps to curtail information leakage across websites. It is time we change our default Referrer Policy in line with these new goals.”
As such, Firefox 87 will introduce “strict-origin-when-cross-origin” as default in the browser’s Referrer Policy, which will cut away sensitive user information — including path and query string — accessible in URLs and in requests going from HTTPS to HTTP as well as all cross-origin requests.
“Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience,” Firefox says.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0