Use sane about:config value: network.http.referer.XOriginTrimmingPolicy = 2
While reading through various about:config security hardening guides, I found several bad default values for the Tor Browser:
- network.http.referer.XOriginTrimmingPolicy = 2
- When sending Referer across origins, only send scheme, host, and port in the Referer header of cross-origin requests. Source
- 0 = Send full url in Referer
- 1 = Send url without query string in Referer
- 2 = Only send scheme, host, and port in Referer
- When sending Referer across origins, only send scheme, host, and port in the Referer header of cross-origin requests. Source
(This issue was split from https://trac.torproject.org/projects/tor/ticket/27059)
Trac:
Username: floweb