The majority of the web is now protected against information disclosure exploits that leverage the HTTP referrer header after Mozilla announced a privacy-focused Firefox update.
Launched yesterday (March 23), Firefox 87 marks the debut of a stricter, more privacy-preserving default Referrer Policy, according to Mozilla.
“From now on, by default, Firefox will trim path and query string information from referrer headers to prevent sites from accidentally leaking sensitive user data,” the company said in a blog post.
Points of reference
Historically browsers sent the HTTP referrer header to let a website know which location ‘referred’ a user to that website.
A Referrer Policy adopted by browser-makers around five years ago gave improved privacy in transitions from HTTPS websites but this has been superseded by even tighter controls.
The new “stricter referrer policy will not only trim information for requests going from HTTPS to HTTP, but will also trim path and query information for all cross-origin requests,” Mozilla explained.
Google introduced a similar new default Referrer Policy for Chrome last December.
The new default behaviour is to show the referrer partially, but it can be customized by the application to keep backwards compatibility, as Google’s documentation for developers explains.
On Safari
Apple’s Safari browser did something comparable with a technology called Intelligent Tracking Prevention (ITP), also released last December.
ITP “downgrades all cross-site request referrer headers to just the page’s origin” instead of redacting cross-site requests to classified domains, according to Apple.
These improved security controls by Apple extend to browsers on mobile devices running on iOS, such as iPhones and iPads.
Security researcher Gareth Heyes of PortSwigger commented: “iOS should have the same behaviour, and as far as I know there are no exceptions, but I haven’t tested mobile browsers on Android, so I don’t know for sure.”
The changes by browser makers collectively address a class of information disclosure via HTTP referrer header vulnerability.
Source: https://portswigger.net/daily-swig/mozilla-tightens-firefoxs-http-referrer-header-controls-to-boost-privacy