Opened 8 years ago

Closed 8 years ago

#4783 closed defect (wontfix)

Set Referrer to loaded website

Reported by: ancientmariner Owned by: mikeperry
Priority: Medium Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently the Tor Browser's Referrer is left empty. The problem with this is it breaks navigation for some webpages, ie, you can't go back to the previous webpage using the Browser's Back button. Instead, the Referrer should be set to the website being navigated to. So, for example, if a person clicks on a link for the website "www.xyz.com" the Referrer should be set to "www.xyz.com." The same thing for websites typed into the URL bar. This will prevent navigation between webpages from becoming broken.

Child Tickets

Change History (2)

comment:1 Changed 8 years ago by ancientmariner

I noticed using TBB 2.2.35-x that the browser leaves a referrer. For example, search for "ipaddress.com" at some search site, then click on the link for the same website. The website ipaddress.com identifies the referrer if it can. If Bing.com is used as the search site, ipaddress.com lists Bing.com as the referrer. The Firefox addon "Refcontrol" provides the user the option I recommended earlier -- set the referrer to the REQUESTED WEBSITE so that navigation isn't broken without compromising privacy. When Refcontrol is used with the recommended option enabled, no referrer is identified by ipaddress.com.

comment:2 Changed 8 years ago by mikeperry

Resolution: wontfix
Status: newclosed

Proper referer spoofing is harder than it seems. The policy you suggest does break actual sites (iirc the washington post was among them).

We tried a more nuanced policy (see #2148 for its evolution), but at the end of the day, we were devoting so much effort to maintaining this policy we decided to abandon it, because referer spoofing does not stop bad actors in the first place. Consider for example that Google+ encodes the referer in the GET parameters of +1 buttons. Ad networks also do this, too.

See also the middle chunk of https://lists.torproject.org/pipermail/tor-dev/2011-June/002806.html and http://archives.seul.org/or/dev/Jul-2011/msg00019.html for more discussion.

Note: See TracTickets for help on using tickets.