
Controlling the ‘referer’ header - nmjenkins
https://blog.fastmail.com/2016/06/20/everything-you-could-ever-want-to-know-and-more-about-controlling-the-referer-header/
======
marco1
This article is about website owners. The best thing you can do as a user is
enabling the 'Referer' for same-origin requests only. That way, you keep
almost all the advantages of the 'Referer' but at the same time fix almost all
the privacy issues.

In Firefox, you can do this by setting `network.http.referer.XOriginPolicy` to
`1` in `about:config`. Or use a `user.js` file with other helpful privacy
settings, e.g. [https://github.com/delight-im/Secure-
Firefox](https://github.com/delight-im/Secure-Firefox)

~~~
msravi
Also, if you use uMatrix, you can choose to spoof the referrer string of
third-party requests. And you can optionally choose to allow referrers for
certain domains:

referrer-spoof: * true

referrer-spoof: wsj.com false

This, for example, "allows" viewing of articles on wsj for google-referred
links.

~~~
digi_owl
Similarly with Noscript.

------
itsnotlupus
The URL refresh thing can be done without JavaScript by having a little server
side entrypoint that redirects to a destination URL with the same header.

I believe it should be widely supported.

~~~
kevincox
If I understand you correctly you would still have a Referer header that said
you came from fastmail.com, however it could be stripped of other sensitive
information. So the URL would be something like
"[https://fastmail.com/redirect?u=https://example.com"](https://fastmail.com/redirect?u=https://example.com")

~~~
duskwuff
If you do that, though, you have to make sure you don't introduce an open
redirect:

[https://www.owasp.org/index.php/Open_redirect](https://www.owasp.org/index.php/Open_redirect)

It's not a _huge_ issue, given the number of open redirects on the Internet,
but it may put your site at risk of being used in phishing attacks.

~~~
cmdrfred
I'm building a end to end encrypted chat platform in JS (I'm aware of the
risks here it's a toy project) and I might have to use an open redirect to
prevent urls from leaking out of messages before they are clicked. I was
thinking of doing something like external-
link.domain.io/redirect?url=[https://www.google.com](https://www.google.com)
to make it obvious.

~~~
kevincox
Yeah. The concept of an "untrusted" domain is commonly used for things like
this.

IIRC Google uses googleusercontent.com

------
patcheudor
By controlling the referer header you can do all sorts of cool things like
tamper with authenticated Google search histories in a way which makes it look
like the person actually searched for a particular term:

[http://thefutureisastephenkingnovel.com/badforensics/](http://thefutureisastephenkingnovel.com/badforensics/)

------
michaeloblak
How is it possible that this header is misspelled? Is there any interesting
story behind it?

~~~
MichaelApproved
"The misspelling of referrer originated in the original proposal by computer
scientist Phillip Hallam-Baker to incorporate the field into the HTTP
specification.[3] The misspelling was set in stone by the time of its
incorporation into the Request for Comments standards document RFC 1945;
document co-author Roy Fielding has remarked that neither "referrer" nor the
misspelling "referer" were recognized by the standard Unix spell checker of
the period.[4] "Referer" has since become a widely used spelling in the
industry when discussing HTTP referrers; usage of the misspelling is not
universal, though, as the correct spelling "referrer" is used in some web
specifications such as the Document Object Model."

[https://en.wikipedia.org/wiki/HTTP_referer](https://en.wikipedia.org/wiki/HTTP_referer)

------
djsumdog
Google and DuckDuckGo do this with a redirect system, right?

------
cm3
Before loading the page I thought this might be about hiding the client's ip
(that connected to an SMTP server) in the mail headers. Is that possible at
all?

------
chrismorgan
Correction: s/<meta type="referrer">/<meta name="referrer">/g

~~~
nmjenkins
Thanks, fixed (will be live in a minute or two). Should have double checked
that rather than just writing it from memory!

------
MichaelGG
What is the benefit to users of having folder names in the URL? Seems like it
totally avoids the issue if a unique ID or encrypted name is used.

~~~
brongondwana
It actually doesn't totally avoid the issue, because you're still leaking
information unless you use a different ID for every request. Someone looking
at referer logs can see that you accessed two different things from the same
folder.

There's also the u= parameter which tells which user you are. That _is_
obfuscated, but it has the same correlation issue, it's the same for forever
for a single user, so you could tell that it's the same user looking at
different URLs.

(we use the u= parameter both for supporting multiple concurrent logged in
users on the same machine, and as an extra layer of CSRF protection)

~~~
MichaelGG
Well if it was just an opaque identifier then it'd not need to leak anything
other than the same item being used multiple times.

But point taken, thanks.

