[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-gnuzilla] default referrer configuration in IceCat
|
From: |
François Kooman |
|
Subject: |
[Bug-gnuzilla] default referrer configuration in IceCat |
|
Date: |
Mon, 29 Feb 2016 15:29:16 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 |
Hi,
The HTTP referrer configuration has some issues when it is used for CSRF
protection by sites. The default Firefox configuration is like this
(about:config):
network.http.referer.XOriginPolicy = 0
network.http.referer.spoofSource = *false*
network.http.referer.trimmingPolicy = 0
network.http.sendRefererHeader = 2
The default IceCat configuration is like this:
network.http.referer.XOriginPolicy = 0
network.http.referer.spoofSource = *true*
network.http.referer.trimmingPolicy = 0
network.http.sendRefererHeader = 2
The intention of spoofing the referrer is a good one, but it may be
better to disable "spoofSource" and instead use "XOriginPolicy" with the
value of 1=domain match (or 2=host match) that will prevent
"cross-domain/host" HTTP referrers, but still allow the full referrer on
the same host/domain. Using referrers within the same domain has no
implications for privacy of the user as far as I can see.
So, my proposal is this default configuration:
network.http.referer.XOriginPolicy = 2
network.http.referer.spoofSource = *false*
network.http.referer.trimmingPolicy = 0
network.http.sendRefererHeader = 2
I am not sure if this has any other (negative) effects when using this
to browse around, but so far using it the last couple of days hasn't
resulted in any issues, but of course my browsing behavior may not be
representative...
What do you think?
Regards,
François
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug-gnuzilla] default referrer configuration in IceCat,
François Kooman <=