Re: [Bug-gnuzilla] default referrer configuration in IceCat

[Narcis Garcia]

+1

But changing to:
network.http.referer.XOriginPolicy = 1

[Some websites present problems if spoofSource=true]


El 29/02/16 a les 15:29, François Kooman ha escrit:
> Hi,
> 
> The HTTP referrer configuration has some issues when it is used for CSRF
> protection by sites. The default Firefox configuration is like this
> (about:config):
> 
> network.http.referer.XOriginPolicy = 0
> network.http.referer.spoofSource = *false*
> network.http.referer.trimmingPolicy = 0
> network.http.sendRefererHeader = 2
> 
> The default IceCat configuration is like this:
> 
> network.http.referer.XOriginPolicy = 0
> network.http.referer.spoofSource = *true*
> network.http.referer.trimmingPolicy = 0
> network.http.sendRefererHeader = 2
> 
> The intention of spoofing the referrer is a good one, but it may be
> better to disable "spoofSource" and instead use "XOriginPolicy" with the
> value of 1=domain match (or 2=host match) that will prevent
> "cross-domain/host" HTTP referrers, but still allow the full referrer on
> the same host/domain. Using referrers within the same domain has no
> implications for privacy of the user as far as I can see.
> 
> So, my proposal is this default configuration:
> 
> network.http.referer.XOriginPolicy = 2
> network.http.referer.spoofSource = *false*
> network.http.referer.trimmingPolicy = 0
> network.http.sendRefererHeader = 2
> 
> I am not sure if this has any other (negative) effects when using this
> to browse around, but so far using it the last couple of days hasn't
> resulted in any issues, but of course my browsing behavior may not be
> representative...
> 
> What do you think?
> 
> Regards,
> François
> 
> --
> http://gnuzilla.gnu.org
>