Reduce Cross-Site Leaks (Referrer and Window.Name)

[RKNF404]

These should idealy be reduced and cleared respectively for privacy reasons.

[RKNF404]

I'll add some research and solutions I have for both tomorrow.

[RKNF404]

For window.name, this feature can be enabled. Unfortunately, it does not work yet (there is a Cromite patch to properly enable it, not huge just 2 extra lines). Firefox has had something like this enabled for a while, as have Brave and Safari, and the Chromium team investigated enabling it noticing not very significant issues, so issues are unlikely should it be enabled (I believe chromium hasn't shipped it due to certain issues that they cannot deal with relating to popular sites, similar to HTTPS Only mode, iirc). With little extra patch work, it would be possible to also enable. Vanadium does not have something for this either.

[RKNF404]

For referrers, I would propose 2 phases. Phase 1 would be enabling this feature, this essentially emulates Vanadium's Reduce referrer setting (limiting referrers to the origin when cross origin). I have been using that feature for a while now on desktop and have never noticed any regressions in functionality (since it only really affects sites using the no-referrer-when-downgrade and unsafe-url policies, the only use-case I can think of is using a token in the query parameters for a security/DDOS check or something but I do not know of any examples of this). This seems like sane default. Phase 2 would try to create a user facing toggle to disable cross-site referrers (fully). One way to do this would be through flags (creating a new flag that controls the behavior, and potentially exposing it through about:flags, I do not think enabling it by default would make sense for functionality reasons should it be added) which would be relatively easy (I did some research and I think I know how to do this, the main part would be adding on to this function to support clearing the referrer). The other way is some UI settings which is more complicated and would take more time, but would be similar to Vanadium's solution adapted to desktop. Let me know what you think.

[qoijjj]

makes sense, for the window.name, I assume this is something we can send to vanadium too?

and for referrers, the vanadium "reduce referrer setting" you're referring to is this patch, right? https://github.com/GrapheneOS/Vanadium/blob/b727d26b095a8383a81162951144d561c4c73e5b/patches/0114-make-cross-origin-referrer-behavior-configurable.patch#L267

[RKNF404]

I'll issue the window.name to Vanadium, just wanted to start here.

Referrer wise, yeah I am referring (pun) to that patch. It isn't exactly how they do it in implementation, but it would be the same effect to the Reduce setting.

[RKNF404]

~Documenting some progress here as a to-do, got a working build that shows flags, cross-origin clearing is incomplete and still detectable by JS.~ Fixed in latest iteration.

[qoijjj]

@RKNF404 can this be closed?

[RKNF404]

@qoijjj Still sitting on the window.name stuff. It might be best to just use the Cromite patch for that, not exactly but something similar in implementation.

[qoijjj]

oh right, yeah I'll leave this open then