Opened 4 years ago

Last modified 3 years ago

#16920 needs_review defect

Referer Header should be disabled for new tabs

Reported by: someone_else Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The referer header allows tracking when a link is opened in a new tab.

https://www.torproject.org/projects/torbrowser/design/
has valid reasons for not disabling referers alltogether.

However, explicit links that a user is expected to click very rarely fail when they are opened without referer. When they do, users can still open them in the original tab as a workaround. Even without stripping the referer, this is already necessary in some cases (e.g. certain Javascript links). Many users will already be trained to perform the workaround.

Leaving the referer in place when opening new tabs allows unexpected tracking across different tabs and undermines circuit isolation. With circuit isolation in place, the user expectation is that different tabs are isolated. For many users, the majority of tabs will be opened via 'open link in new tab' and users can potentially be tracked across long browsing sessions.

With referers in place, users are exposed to a much higher risk that accounts on different sites can be tied together, when they expected that tabs are fully isolated.

This referer stripping should at the very least be performed on the highest security setting.

Tor Browser Patch:

--- a/browser/base/content/utilityOverlay.js
+++ b/browser/base/content/utilityOverlay.js
@@ -358,7 +358,7 @@ function openLinkIn(url, where, params) {
   case "tab":
     w.gBrowser.loadOneTab(url, {
       referrerURI: aReferrerURI,
-      referrerPolicy: aReferrerPolicy,
+      referrerPolicy: Components.interfaces.nsIHttpChannel.REFERRER_POLICY_NO_REFERRER,
       charset: aCharset,
       postData: aPostData,
       inBackground: loadInBackground,

Child Tickets

Change History (2)

comment:1 Changed 4 years ago by cypherpunks

Priority: normalmajor

This kind of session tracking even works for https. E.g. search with Disconnect search. Links to https sites opened in new tabs will include the search id as referer:
Referer: https://search.disconnect.me/searchTerms/serp?search=be546373-ac83-4a7e-968d-354236197519

Many sites now use Cloudfront as https frontend. Cloudfront has access to the referrers accross different URL bar domains / circuits, since they handle the encryption.

There are many more examples, where unique IDs are included in referers. E.g. PHP session IDs are very common.

comment:2 Changed 3 years ago by bugzilla

Keywords: tbb-linkability added
Severity: Normal
Status: newneeds_review

Makes sense in a part that it

should not be preserved for cross-origin navigation

Note: See TracTickets for help on using tickets.