This is yet another example of why sending the Referrer header is insane. It's a massive privacy breach by design. Anything serious about protecting privacy needs to stop intentionally betraying the user's browsing path and simply remove the header from all HTTP requests.
Anything that functionally relies on a valid referrer is at best an unfortunate but necessary casualty. However, I suspect that far too often this is simply a way to obfuscate the usual tracking. If you tie your functionality to something designed to violate user privacy, don't be surprised if that functionality breaks when the privacy leak is finally fixed.
> I'm not sure offhand if browsers would be passing a referer header by default, or if that could somehow reliably identify the site I'm actually visiting. If so, that'd be one valuable fact.
They are passing referer unless the context is an encrypted connection and the resource is on plain HTTP.
> Is there any story about anyone affected by the issue? Does this issue even exist
Yes. Yes it does.
Imagine, a web site that has a query parameter with a secret (password reset pages, email unsubscribe, custom feeds, etc). Any images or other assets used in the page will receive the full URL as the referrer, so they can see those secrets.
GitHub fixed this very issue a few years ago. They have a feature to get custom RSS feeds for user activity. There is a secret worry parameter in the URL, and any third party images were receiving that full URL.
Referrer-Policy header is already supported in many browsers.
> To help prevent third party data leakage while browsing privately, Firefox Private Browsing Mode will remove path information from referrers sent to third parties starting in Firefox 59.
Emphasis mine.
It only does it in private mode. I experimented with the referrer options mentioned in the article with mixed success. Not sending the referer header breaks some sites and often in a non-obvious way.
> some browsers even then did not send Referer headers reliably
Apart from https/http thing mentioned elsewhere in this thread, there's also Referrer-Policy [1]. I don't know how wide-spread its use is, but I find that most requests I get have no referrer header these days.
> Personally I use Referer header checking as well. IME all the browsers of my users do send them.
IME that is not true. Certain corporate/government machines have Referer headers turned off for some strange "security" reason. Last time I ran into this when working with Architect of the Capitol (http://www.aoc.gov/), when they couldn't log into a management panel because Django's CSRF protection checks the Referer header.
>Personally I use Referer header checking as well. IME all the browsers of my users do send them. So if you extract the CSRF token, it's useless by itself unless you also can make the browser send the right Referer header (and AFAIK, all the holes such as Flash have been plugged).
> the request header referrer for the tracking domain will no longer contain the full web address of the host page, only the domain name
Why not just remove referrer header for all 3rd party requests? Or remove it in Private browsing mode. VPNs nice, im using one, but other VPN companies are not, such a cutthroat business :) And you can not self-host VPN, it defeats the hide my IP feature.
> What is the state of Referer in modern browsers?
Referers are still sent in all popular browers and expose information that is not necessary at all.
> Why keep it?
I can't think of any reason. Can you?
> Would removing it break anything?
It might certainly break some websites. But mechanisms which rely on the HTTP referer are usually broken, anyway. It should not affect too many sites.
> File bugs against browser developers to remove Referer
The referer is such a fundamental feature (not due to its importance but history/habit) that a filed bug will probably be closed within minutes ;)
> Meanwhile users can disable Referer
Certainly. I have. But as with all security-related things, how many "normal" users will do this? 99% of users don't even know about "about:config" in Firefox etc.
> This becomes less of an issue as sites move to https, where Referer is not sent
This is wrong. Even on HTTPS, the referer is always sent unless the referenced site is plain (not secure) HTTP.
This is yet another example of why sending the Referrer header is insane. It's a massive privacy breach by design. Anything serious about protecting privacy needs to stop intentionally betraying the user's browsing path and simply remove the header from all HTTP requests.
Anything that functionally relies on a valid referrer is at best an unfortunate but necessary casualty. However, I suspect that far too often this is simply a way to obfuscate the usual tracking. If you tie your functionality to something designed to violate user privacy, don't be surprised if that functionality breaks when the privacy leak is finally fixed.
reply