Use sane about:config value: network.http.referer.XOriginPolicy = 2
While reading through various about:config security hardening guides, I found several bad default values for the Tor Browser:
- network.http.referer.XOriginPolicy = 2
- Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.) Source
- 0 = Send Referer in all cases
- 1 = Send Referer to same eTLD sites
- 2 = Send Referer only when the full hostnames match
- Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.) Source
(This issue was split from https://trac.torproject.org/projects/tor/ticket/27059)
Trac:
Username: floweb