search

sblask-webextensions / webextension-skip-redirect

Some web pages use intermediary pages before redirecting to a final page. This add-on tries to extract the final url from the intermediary url and goes there straight away if successful.
https://addons.mozilla.org/firefox/addon/skip-redirect/
MIT License
481 stars 45 forks source link

use tab.update instead of redirectUrl to vanish referer #329

Open garywill opened 1 year ago

garywill commented 1 year ago

Skip redirect by returning redirectUrl will increase some privacy risk.

Without this addon, clicking a link in https://forum.com/post-xxxxxx which is originally to https://redirect.forum.com/dest=http://badsite.com. badsite.com can't see visitor's source postid from referer. The referer is just https://redirect.forum.com/.

After changing target url by returning a redirectUrl, the referer will expose visitor's source https://forum.com/post-xxxxxx

So, use tab.update to make referer empty

sblask commented 1 year ago

I am wondering whether this is right. I couldn't find a way to set a referrer manually, but using tab.update seems like a big change. Even if it works I'd expect to either set the requests to non-blocking or return cancel instead of nothing.

garywill commented 1 year ago

return cancel instead of nothing

Your idea is right. I also think returning cancel is the right way. Returning cancel means canceling the original request and let the tabs.update navigates tab to a new url.

But there seems to be a Firefox bug. Returning cancel makes the tabs.update canceled also. On Chrome there's no such bug.

This is another of my addon, I did this: https://github.com/garywill/autoReferer/blob/84f17e1be5f57c9684b5fe163cc93941d02d96b2/g_background.js#L127-L131

Guess we need to file a bug to Mozilla: