Preventing data leaks by stripping path information in HTTP Referrers

To help prevent third party data leakage while browsing privately, Firefox Private Browsing Mode will remove path information from referrers sent to third parties starting in Firefox 59.

Referrers can leak sensitive data

Screenshot of healthcare.gov requests. Source: EFF

An example of personal health data being sent to third parties from healthcare.gov. Source: EFF

When you click a link in your browser to navigate to a new site, the new site you visit receives the exact address of the site you came from through the so-called “Referrer value”. For example, if you came to this Mozilla Security Blog from reddit.com, the browser would send blog.mozilla.org this:

Referer: https://www.reddit.com/r/privacy/comments/Preventing_data_leaks_by_stripping_path_information_in_HTTP_Referrers/

This leaks user data to websites, telling websites the exact page you were looking at when you clicked the link. To make things worse, browsers also send a referrer value when requesting sub-resources, like ads, or other social media snippets integrated in a modern web site. In other words, embedded content also knows exactly what page you are visiting

Most sites log this data for operational and statistical purposes. Many sites also log this data to collect as much information about their users as possible.  They can then use that data for a variety of purposes, or even sell that data – e.g., for re-targeting.

While the data above may not be a problem, consider this example:

Referer: https://www.
healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&pregnant=1&zip=85601&state=AZ&income=35000

EFF researchers discovered this leak of personal health data from healthcare.gov to DoubleClick. As indicated, the referrer in this case leaks information about your age, your zip code, whether you are a smoker or not, and potentially even your income. Other companies (link1, link2) have disclosed similar vulnerabilities and leaks.

Private Browsing will strip paths in HTTP referrers

Screenshot: Firefox Private Browsing window

To prevent this type of data leakage when Firefox users are browsing privately, we are changing the way Firefox sends referrers in Private Browsing Mode.

Starting with Firefox 59, Private Browsing will remove path information from referrer values sent to third parties (i.e. technically, setting a Referrer Policy of strict-origin-when-cross-origin).

In the previous examples, this setting would remove the path and query string data from the referrer values so that they are stripped down to:

Referer: https://www.reddit.com/

and

Referer: https://www.healthcare.gov/

This change prevents site authors from accidentally leaking user data to third parties when their users choose Private Browsing Mode.  We made this change only after first ensuring that this would have minimal to no effect on web usability.

Other ways of controlling referrers

Vendors and authors continue to propose changes to Referrers to improve web privacy, security, and functionality.

In 2014, the W3C Web Application Security Working Group started its Referrer Policy Recommendation. This Policy lets vendors and authors control referrer values. For example, it defines a secure-by-default no-referrer-when-downgrade policy for user agents, which does not send referrers to HTTP resources from an HTTPS page. In Firefox Regular and Private Browsing Mode, if a site specifically sets a more restrictive or more liberal Referrer Policy than the browser default, the browser will honor the websites request since the site author is intentionally changing the value.

Users can also change their default referrer options in Firefox.  These will override the browser’s default Referrer Policy and override the site author’s Referrer Policy, putting the users choice first.