Confirm if `network.http.sendRefererHeader` cause issues on Firefox

[krillin666]

Hello,

This project seems really helpful, however I cannot play nor see any of the videos from the website. I tried disabling all my addons and set Firefox to accept coockies but the problem persists as seen bellow:

I inspected the element of the warning and notice your videos are being provided by vimeo and as such I tried to just copy and paste the direct link to the vimeo video but the above message still persists. This is strange because I tested others sites with embedded vimeo videos and they work all fine, even with all my addons enabled and strick cookies policy.

I'm using Fedora 32 with Firefox v.79.

Thank you for your time.

[koaning]

That's strange. This is what I currently see on Firefox on mac

Copy/Pasting vimeo links won't work because I've set it up in such a way that you need to be on the domain of calmcode in order to view the videos.

[koaning]

Is it this just series of videos that demonstrates this issue or do you experience the issue across all videos? Could you check on your mobile phone as well? Just to exclude that it is your wifi provider.

[krillin666]

Is it this just series of videos that demonstrates this issue or do you experience the issue across all videos? Could you check on your mobile phone as well? Just to exclude that it is your wifi provider.

Hello, I tested on my phone (with my home wifi also) and the videos do play without problems. I do not understand why they don't on my pc. I was using a VPN but I tried: deactivating the vpn, disabling all addons. Nothing work. Important to note that this applies to all videos in the site. Thank you.

[koaning]

I fear that this is something related to your home setup then. Since it does seem to work on your phone I'll close the issue for now since it seems to be something that is outside of my control.

[demostanis]

"Copy/Pasting vimeo links won't work because I've set it up in such a way that you need to be on the domain of calmcode in order to view the videos." That might be the issue. Some configurations prevent sending the Referer header, thus Vimeo won't be able to know that the viewer is actually on calmcode (and will not let him watch it).

[koaning]

Could you elaborate what you mean with "some configurations"? Are you referring to settings on an employer's laptop?

[demostanis]

For example, on Firefox, it is settings the pref network.http.sendRefererHeader. It can be used to increase privacy, for the price of breaking some websites depending on it. People would for sure prefer to use calmcode without disabling the pref.

[koaning]

Interestring! That means I should open up the issue again.

Edit: I'm on my phone now and the github client does not allow me to re-open the ticket from here. Ticket will open up tomorrow!

[demostanis]

It does. No Referer header sent: Referer header sent:

[krillin666]

Update on this ? 😃

[koaning]

I'm not seeing any problems with firefox on my machine but I may need help understanding how to set network.http.sendRefererHeader up in such a way that it represents what you experience. Could you like to a guide?

[krillin666]

I'm not seeing any problems with firefox on my machine but I may need help understanding how to set network.http.sendRefererHeader up in such a way that it represents what you experience. Could you like to a guide?

Sure, I'll be glad to help because I have friends that also report this issue and have to sacrifice privacy to use Calmcode (which btw is amazing, can't thank you enough !).

So in Firefox, if we go to about:config and set (as @demostanis explained): network.http.sendRefererHeader = 2 instead of the default 0, we cannot view any videos on calmcode.

However, I actually had network.http.sendRefererHeader set to the default 0, but the videos do not display for me either because I have another settings which is network.http.referer.XOriginPolicy set to 2.

Here you have an explanation of that setting:

network.http.referer.XOriginPolicy = 2 Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.) Source

    0 = Send Referer in all cases
    1 = Send Referer to same eTLD sites
    2 = Send Referer only when the full hostnames match*

Thank you again for your work, and I hope to be able to browse while keeping my privacy settings on 😁

[koaning]

Ah right. Now I see, I can confirm the issue.

I don't see an easy fix though. It seems that this firefox setting breaks not just vimeo but also jira. I'll gladly hear if anybody has a quick solution to this issue, but I fear this is something that only Vimeo can change.

[thansk]

This isn't an issue with calmcode, this is an issue with your Firefox configuration. The practice of checking the Origin header by Vimeo is standard security.

All you have to do is set network.http.referer.XOriginPolicy to 0 so that Vimeo knows you are coming from calmcode.io and not somewhere else. You can set network.http.referer.XOriginTrimmingPolicy to 2 if you care so much about it and it will only send calmcode.io instead of the full URL.