Referrer leakage at a certain website

[ghost]

Prerequisites

• [x] I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
  • [x] I also searched the existing issues at https://github.com/gorhill/uMatrix/issues
• [x] This is not a support issue or a question
  • Support issues and questions are handled at /r/uMatrix
• I tried to reproduce the issue when...
  • [x] uMatrix is the only extension
  • [ ] uMatrix with default lists/settings
  • [ ] using a new, unmodified browser profile
• [x] I am running the latest version of uMatrix
• [x] I checked the documentation to understand that the issue I report is not a normal behavior
• [x] I used the logger to rule out that the issue is caused by my ruleset

Description

Referrer leaks at https://www.myip.com/ when visited via google search result.

A specific URL where the issue occurs

https://www.myip.com/

Steps to Reproduce

1. Visit https://www.google.com/
2. Type my ip in search and hit Enter
3. Click on the very first result which is https://www.myip.com/ and scroll down to the end of the page to locate Referrer field showing URL: www.google.com

Supporting evidence

Logger shows that REFERRER was blocked yet the website is able to detect.

Your environment

• uMatrix version: v1.3.15.101
• Browser Name and version: Chrome 72
• Operating System and version: Win X

[uBlock-user]

~Chromium specific, not reproducible on Firefox.~

[gorhill]

I could not reproduce with Chromium 70/Linux on my side.

This reminds me of this issue: https://github.com/uBlockOrigin/uMatrix-issues/issues/74 -- though not confirmed by OP, it appears the Cookie header was not being removed by the browser as instructed by uMatrix.

[uBlock-user]

I can reproduce on Chromium 70.0.3538.67/Windows on my end.

[ghost]

@gorhill so a browser bug ? Weird, only happens on that site and nowhere else. Should I close this ?

Btw I'm not affected by #74, if I block cookies, I get logged out, so don't think this is related to that issue.

[gorhill]

Ok I could reproduce, I had to allow some 3rd-party scripts in the matrix.

After investigating, I confirm uMatrix really removes the Referer header from request headers.

However, the browser still sets the document.referrer to the original, unmodified header. I consider this to be a browser issue -- I can't even properly provide a workaround for this, only the browser can properly set the correct document.referrer value to match the request header one.

[ghost]

I had to allow some 3rd-party scripts in the matrix.

my bad, forgot to add you need to whitelist ajax.googleapis.com

the browser still sets the document.referrer to the original, unmodified header.

but this website only ? Other referrer testing websites work fine. Is the website triggering some exploit ?

[ghost]

Speaking of document.referrer, it stores the correct value no matter what on any website, below screenshot was taken on https://www.whatsmyreferer.com/ - referrer is spoofed succesfully yet this -

[gorhill]

There are two ways a site can report to you the referrer they see: server-side or client-side.

If server-side, the referrer is looked up from the request headers, hence it will be spoofed.

If client-side (requires javascript code to be executed), the referrer will be looked up from document.referrer, hence not spoofed in Chromium due to browser bug.

[ghost]

Guessing they're picking the client-side value right ?

[gorhill]

Yes, load https://www.myip.com/js/graf.js and scrolled to the end.

[ghost]

With Script-safe in place of uMatrix -

Seems the header is not sent at all or removed. I set the setting Block-click-through referrer to "On All Domains" for that to happen. Maybe you want to try this approach for a workaround.

[gorhill]

I consider this a browser bug, this is what needs to be fixed. No reliable workaround can be crafted to match current referrer-spoofing feature -- at best, a workaround would be unreliable, i.e. easily bypassed by having script code executed at the top of a document, before uMatrix's own content script can patch the referrer according to current ruleset. I rather there be a real, actual fix than the appearance of one. My official suggestion would be to just use Firefox if rock-solid referrer spoofing is important.

[ghost]

No I'm fine, thought I would suggest one until document.referrer gets patched. So do you want me to keep it open ?

[uBlock-user]

I consider this a browser bug, this is what needs to be fixed.

Can't find any bugs filed on the tracker. Do you know of any ?

[gorhill]

Keep it open, I remembered there is this new Referrer-Policy header which appeared relatively recently, I need to investigate whether it can be used to implement uMatrix's referrer-spoofing.

[gorhill]

With Script-safe in place of uMatrix

I looked into this, and I found that ScriptSafe adds a rel="no-referrer" to every link element in the DOM. Not sure what would happen if new link elements are dynamically added -- I didn't look further. Also unsure what would happen for when a location is navigated programmatically.

[ghost]

Is there any extension of Referrer Policy ? I want to see it in action once and see it deals.

[uBlock-user]

Made a uBO-Scriptlet to patch document.referrer, useful on cases where document.referrer is used.

(function () {
    let myRefer = '{{1}}';
    window.document.__defineGetter__('referrer', function () {
        return myRefer;
    });
})();

[ribatamu]

The extension Referer Control at https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin?hl=en is blocking the referer with success on 3rd party requests.

[uBlock-user]

Yes, like this --

chrome.runtime.sendMessage({
    type:"blockReferrer"
}, function (r) {
    try {
        if(r.block){
            var meta = document.createElement('meta');
            meta.name = "referrer";
            meta.content = "no-referrer";
            document.getElementsByTagName('head')[0].appendChild(meta);
        }
    } catch(ignore){}
});

[ribatamu]

@uBlock-user could you made this part from your uBO-Scriptlet?

[uBlock-user]

It's better if the fix lands in the extension itself, rather than having to use a scriptlet in ublock.

[ribatamu]

I agreed.

I tried to play with the options in this Referer Control extension... I tested of few pages with which I had referer leakage with uMatrix before and seems to work well.

I am not sure if that can be implemented in uMatrix.

[HashLiver]

referrer-spoof not work in Chrome 72+, working on Chrome 71 now

[gorhill]

@HashLiver Probably related to https://github.com/uBlockOrigin/uMatrix-issues/issues/74, fixed in dev build.

[ribatamu]

The extension Privacy Manager is working really well about hiding the referer in Chrome.

The uMatrix is not working of some pages. The referer control extension is working on every site tested but I had cases in which I had to disable the blocking the referrer string of third-party requests in order the page to work properly.

I don't know how they do but surprisingly, the Privacy Manager is working on every page tested.

[cnleo]

Chrome 74 the referer is simple send to everyone https://www.whatismyreferer.com/.

[uBlock-user]

Apparently I can reproduce this on Firefox Nightly too --

[rusty-snake]

FYI: https://gitlab.com/smart-referer/smart-referer/issues/138

[rusty-snake]

FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=1601496

[nikitalita]

@uBlock-user did you ever get this working on chrome? I have been trying a number of techniques to get around this to no avail.