Closed omentic closed 2 years ago
Thanks for the detailed feature request.
This definitely sounds like a flag worth having to me, I'll try to dig into the code in the next few days myself but contributions from others are very welcome of course
I have a patch that does this but I had shelved it since I made it also disable the same-origin referrer to prevent some tracking on social media sites which ended up causing problems with github and few other sites. If you haven't already put too much time into this I could update it to only remove the cross-origin referrer and submit a PR sometime after 101 lands.
Besides poking around in the codebase a bit haven't had the time to do much so I'd be great if you could pr it
Also maybe disabling same-origin could be a higher level you could set the flag to, as you said it could be useful in some cases
Is your feature request related to a problem? Please describe. Chromium and all Chromium-based browsers send the HTTP Referer header across different website origins. This can be a privacy leak.
Describe the solution you'd like A flag to disable the cross-origin Referer header would be a helpful addition. I think it could be on by default.
Describe alternatives you've considered Extensions (I believe uMatrix) have blocked this in the past, but it would much better be done as part of the browser.
Additional context This is similar but different than #1117. I think that's just reduced granularity, but a website operator can still see from what website you clicked the link on. This still allows for malicious redirects.
I've never seen a useful use of the Referer header. On the other hand, I've seen malicious uses: for example, when clicking a link to jwz.org from news.ycombinator.com [semi-nsfw].
Setting the
network.http.referer.XOriginPolicy
to 1 or above in Firefox fixes this, but there isn't yet an equivalent Chromium flag.