Configurable referer switch or behavior change

Remu-rin commented 6 years ago

Prerequisites

[x] Did you perform a cursory search of the issue tracker?
Can you reproduce the problem when...
- [x] uMatrix is the only extension?
- [x] uMatrix with default lists/settings?
- [x] using a new, unmodified browser profile?
[x] Are you running the latest version?
[x] Did you check the documentation?

Description

Related to https://github.com/uBlockOrigin/uMatrix-issues/issues/19 and https://github.com/uBlockOrigin/uMatrix-issues/issues/20 concerning web breakage and to https://github.com/gorhill/uMatrix/issues/773 concerning security. Is it possible to make referer switch configurable to either spoofing or completely removing? Or maybe just change spoofing behavior to removing header? I think first reasons for uMatrix are always privacy and security (web breakage is expected). As mentioned in https://github.com/gorhill/uMatrix/issues/773, removing referer is more secure, because some sites may check referer for CSRF-reasons (there is now https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ and maybe other things for this, but legacy is legacy). Same goes to privacy: considering appearance of https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy, sites now can tell browsers to strip or remove referers to third-party (but not to spoof), so removing should be less standing out than spoofing. Breakage is less important, but I think removing referer will also become less breaking as time goes on. Example is facebook video in previous issues.

A specific URL where the issue occurs

https://www.facebook.com/nos/videos/2241787655836780/

Steps to Reproduce

Disable uMatrix or referer spoofing in it.
Install https://addons.mozilla.org/en-US/firefox/addon/smart-referer/
Try launching video with both spoofing and removing modes. Extension settings, Rewrite mode, "Send the URL you're going to as referer (recommended)" and "Send nothing as referer, looking like a direct hit".
Notice that spoofing referer breaks video, while with removed referer video plays fine.

Supporting evidence

Your environment

uMatrix version: 1.3.10
Browser Name and version: Firefox 60.0.2
Operating System and version: Windows 7

gorhill commented 6 years ago

Outright removing a referrer header can also cause issues: https://github.com/gorhill/httpswitchboard/issues/222.

uBlock-user commented 6 years ago

while with removed referer video plays fine.

That's on facebook only, you cannot conclusively conclude that this will work for all the websites that host videos. Not to mention, websites can add their own referrer policy too, in that case this will also not work and you will back to disabling the switch or trying spoofing to make it work.

Remu-rin commented 6 years ago

That's on facebook only, you cannot conclusively conclude that this will work for all the websites that host videos.

I didn't say anything like that. But appearance of referrer-policy means that removing behavior will be more normal than earlier, which probably will result in less breakage now.

Not to mention, websites can add their own referrer policy too, in that case this will also not work

Referrer policy on site A doesn't mean that site B resources won't work with different policy. Even if they are related to each other. If that was true, then in times before referrer-policy sites wouldn't work with both spoofing and removing, because default referrer behavior was "send full referer in all cases". But spoofing often worked fine, same as removing header, though less often probably.

and you will back to disabling the switch or trying spoofing to make it work.

Yep, but that's not worse, that's better, right? You have more flexibility and need to disable switch completely only if both variants are not working.

uBlock-user commented 6 years ago

I didn't say anything like that.

But you did postulate this feature request based on facebook's case only, hence my first response was on that.

Referrer policy on site A doesn't mean that site B resources won't work with different policy. Even if they are related to each other.

It's true in the case of mcloud.to. Visit https://www6.fmovies.se/film/legion-2.9297x/qrjrq5 with referrer spoofing for fmovies.se enabled and you will see a 404 from mcloud.to embeded video as it will purposefully not serve you the video you requested. Even spoofing a custom refferer via ScriptSafe extension doesn't work there.

Yep, but that's not worse, that's better, right?

It would if the website admin decides to enforce a referrer policy and this turns just like that anti adblock war. So the possibility does exists. Take the example of facebook itself. I have been using facebook with referrer spoofing enabled for more than a year and the videos played just fine, however in the last couple of days, they decided to enforce a referrer policy and that lead to #19 and #20 being filed here.

I'm not against this feature to let you know, but it will not make a major difference in general to what the current state is.

uBlock-user commented 5 years ago

https://www.facebook.com/nos/videos/2241787655836780/

Video plays fine without having to turn Referrer switch to off, seems like the issue was on facebook's end.

uBlockOrigin / uMatrix-issues