I missed the comment about discussing here instead of on the bugs, apologies. I'll just repost my comment from https://bugzilla.mozilla.org/ show_bug.cgi?id=970136 here:
Increasing the granularity of referer options seems like a positive thing overall and I have no objection to this proposal. However, I'm curious if you have empirical evidence to the extent to which sending the current host's root keeps certain hosts happy? I ask because my intuition is that the vast majority of cases where a referer "needs" to be sent occur in requests within the same domain (e.g. CSRF+HTTPS protection, hotlinking prevention), and hence setting network.http.referer.XOriginPolicy ought to do the trick. In any case, now that 822869 has finally landed (woo!) it would be nice to do some testing to arrive at the most restrictive policy we can get away with with a minimum of breakage. I'd love to hear from the privacy team at Mozilla about the best way to test and push this forward. On Sun, Feb 9, 2014 at 5:56 PM, Ben Bucksch <[email protected]>wrote: > (This is re-opening a thread that started in Feb 2013.) > > https://bugzilla.mozilla.org/show_bug.cgi?id=822869 > In Nov 2013, we got a number of new referer options that allow to limit > the referer to the hostname only, or to the same domain only. > > https://bugzilla.mozilla.org/show_bug.cgi?id=970136 > A request to not pass any information between sites, but keep maximum > compatibility. > > https://bugzilla.mozilla.org/show_bug.cgi?id=970092 > There's a request to make a shortened referer the default for Firefox. > > I argue this is important for privacy to not leak any data from site B to > site A. So, I think the option proposed in bug 970136 should be the default. > > _______________________________________________ > dev-privacy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-privacy > _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
