{"id":1868,"date":"2015-01-21T05:40:13","date_gmt":"2015-01-21T13:40:13","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=1868"},"modified":"2015-08-10T15:50:55","modified_gmt":"2015-08-10T22:50:55","slug":"meta-referrer","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/","title":{"rendered":"Tighter Control Over Your Referrers"},"content":{"rendered":"

The purpose of the HTTP Referer (sic) header is to help sites figure out where their traffic comes from. However, as the Web got more complex, the amount of information in the Referer header ballooned, leading to bigger privacy problems. Firefox Beta supports a new feature to help sites protect their users\u2019 privacy by changing the Referer header.<\/p>\n

HTTP Referer provides a wealth of information about where you came from to the sites you visit, but this context isn\u2019t always necessary (or desired). In addition, it is an unreliable tool for authenticating the origin of an HTTP request unless it\u2019s always present, which it\u2019s not due to privacy concerns (HTTPS sessions should not leak URLs to HTTP). When it is transmitted, there are still privacy concerns (“is that my username in the URL?”) because it\u2019s all (whole URI) or nothing. To get what they want privacy-wise, sites often had<\/a> to hack around direct loads with redirects and frames to change the referrer to something safer. What\u2019s needed is a better way for referring sites to reduce the amount of data transmitted and thus providing a more uniform referrer that\u2019s less privacy invasive.<\/p>\n

This HTTP header has become quite problematic and not very useful, so we\u2019re working to make it better. <\/p>\n

Step one was to make gecko more flexible: we laid the groundwork<\/a> so that it is easier for a user or browser extension to configure when Referer headers are sent and what they contain.<\/p>\n

Step two is to help sites protect their users. Firefox 36 Beta now supports a feature called “meta referrer.” (Yes, this time “referrer” is spelled correctly<\/a>.) Now your HTML documents can include a meta tag that specifies one of many referrer policies<\/a> for the document to change what Firefox sends in the Referer header, and when it is sent. If your page contains the tag:<\/p>\n

<meta name=\"referrer\" content=\"origin\"> <\/code><\/p>\n

all Referer headers in loads from your document will be without a path, query string or fragment, origin only. There are other policies you can specify to suppress referrers entirely, send a stripped-down referrer string cross-origin, and more.<\/p>\n

We are proud to add this tool to the suite of features in Firefox that Web developers can use to protect their visitors\u2019 privacy. Try it out! Let us know what you think!<\/p>\n

Many thanks to Owen Chu for getting the gecko implementation started.<\/p>\n

Sid Stamm
\nSecurity and Privacy Engineer<\/p>\n","protected":false},"excerpt":{"rendered":"

The purpose of the HTTP Referer (sic) header is to help sites figure out where their traffic comes from. However, as the Web got more complex, the amount of information … Read more<\/a><\/p>\n","protected":false},"author":1438,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[47,30,847,69],"tags":[45511,5865,45509],"coauthors":[],"yoast_head":"\nTighter Control Over Your Referrers - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"mozilla\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/\",\"name\":\"Tighter Control Over Your Referrers - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2015-01-21T13:40:13+00:00\",\"dateModified\":\"2015-08-10T22:50:55+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Tighter Control Over Your Referrers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\",\"name\":\"mozilla\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"caption\":\"mozilla\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Tighter Control Over Your Referrers - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/","twitter_misc":{"Written by":"mozilla","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/","url":"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/","name":"Tighter Control Over Your Referrers - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2015-01-21T13:40:13+00:00","dateModified":"2015-08-10T22:50:55+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2015\/01\/21\/meta-referrer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Tighter Control Over Your Referrers"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9","name":"mozilla","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc","url":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","caption":"mozilla"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1868"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1438"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1868"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1868\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1868"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}