[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-gnuzilla] default referrer configuration in IceCat
From: |
Narcis Garcia |
Subject: |
Re: [Bug-gnuzilla] default referrer configuration in IceCat |
Date: |
Tue, 21 Mar 2017 15:20:27 +0100 |
+1
But changing to:
network.http.referer.XOriginPolicy = 1
[Some websites present problems if spoofSource=true]
El 29/02/16 a les 15:29, François Kooman ha escrit:
> Hi,
>
> The HTTP referrer configuration has some issues when it is used for CSRF
> protection by sites. The default Firefox configuration is like this
> (about:config):
>
> network.http.referer.XOriginPolicy = 0
> network.http.referer.spoofSource = *false*
> network.http.referer.trimmingPolicy = 0
> network.http.sendRefererHeader = 2
>
> The default IceCat configuration is like this:
>
> network.http.referer.XOriginPolicy = 0
> network.http.referer.spoofSource = *true*
> network.http.referer.trimmingPolicy = 0
> network.http.sendRefererHeader = 2
>
> The intention of spoofing the referrer is a good one, but it may be
> better to disable "spoofSource" and instead use "XOriginPolicy" with the
> value of 1=domain match (or 2=host match) that will prevent
> "cross-domain/host" HTTP referrers, but still allow the full referrer on
> the same host/domain. Using referrers within the same domain has no
> implications for privacy of the user as far as I can see.
>
> So, my proposal is this default configuration:
>
> network.http.referer.XOriginPolicy = 2
> network.http.referer.spoofSource = *false*
> network.http.referer.trimmingPolicy = 0
> network.http.sendRefererHeader = 2
>
> I am not sure if this has any other (negative) effects when using this
> to browse around, but so far using it the last couple of days hasn't
> resulted in any issues, but of course my browsing behavior may not be
> representative...
>
> What do you think?
>
> Regards,
> François
>
> --
> http://gnuzilla.gnu.org
>
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Bug-gnuzilla] default referrer configuration in IceCat,
Narcis Garcia <=