Mozilla Firefox tweaks Referrer Policy to shore up user privacy

Starting in Firefox 87, the browser will contain extra protections to stop information leaks.

Mozilla Firefox will soon include a revised Referrer Policy to tighten up queries and better protect user information. 

Firefox 87, due to ship on March 23, will cut back on path and query string information from referrer headers "to prevent sites from accidentally leaking sensitive user data."

In a blog post on Monday, developer Dimi Lee and security infrastructure engineering manager Christoph Kerschbaumer said the latest browser version will include a "stricter, more privacy-preserving default Referrer Policy."

Browsers send HTTP Referrer headers to websites to indicate which location has 'referred' a user to a website server. Full URLs of referring documents are often sent in the HTTP Referrer header with other subresource requests, and while this may contain innocent information used for purposes including analytics, private user data may also be included. 

Referrer policies aim to protect this data, but if no policy is set by a website, this often defaults to "no-referrer-when-downgrade," an element that Firefox says does trim down the referrer when navigating to a less secure resource, but still "sends the full URL including path and query information of the originating document as the referrer."

"The 'no-referrer-when-downgrade' policy is a relic of the past web, when sensitive web browsing was thought to occur over HTTPS connections and as such should not leak information in HTTP requests," the team says. "Today's web looks much different: the web is on a path to becoming HTTPS-only, and browsers are taking steps to curtail information leakage across websites. It is time we change our default Referrer Policy in line with these new goals."

As such, Firefox 87 will introduce "strict-origin-when-cross-origin" as default in the browser's Referrer Policy, which will cut away sensitive user information -- including path and query string -- accessible in URLs and in requests going from HTTPS to HTTP as well as all cross-origin requests.

"Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience," Firefox says. 

Google Chrome introduced also a stricter default Referrer Policy in version 85 of the browser, alongside speed improvements and tab previews.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0