{"id":2704,"date":"2021-03-22T03:00:53","date_gmt":"2021-03-22T10:00:53","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2704"},"modified":"2021-03-22T09:17:12","modified_gmt":"2021-03-22T16:17:12","slug":"firefox-87-trims-http-referrers-by-default-to-protect-user-privacy","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/","title":{"rendered":"Firefox 87 trims HTTP Referrers by default to protect user privacy"},"content":{"rendered":"<p>&nbsp;<\/p>\n<p>We are pleased to announce that Firefox 87 will introduce a stricter, more privacy-preserving default Referrer Policy. From now on, by default, Firefox will trim path and query string information from referrer headers to prevent sites from accidentally leaking sensitive user data.<\/p>\n<p>&nbsp;<\/p>\n<h2>Referrer headers and Referrer Policy<\/h2>\n<p>Browsers send the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Referer\">HTTP Referrer<\/a> header (note: original specification name is \u2018HTTP Referer\u2019) to signal to a website which location \u201creferred\u201d the user to that website\u2019s server. More precisely, browsers have traditionally sent the full URL of the referring document (typically the URL in the address bar) in the HTTP Referrer header with virtually every navigation or subresource (image, style, script) request. Websites can use referrer information for many fairly innocent uses, including analytics, logging, or for optimizing caching.<\/p>\n<p>Unfortunately, the HTTP Referrer header often contains private user data: it can reveal which articles a user is reading on the referring website, or even include information on a user\u2019s account on a website.<\/p>\n<p>The introduction of the <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Referrer-Policy\">Referrer Policy<\/a> in browsers in 2016-2018 allowed websites to gain more control over the referrer values on their site, and hence provided a mechanism to protect the privacy of their users. However, if a website does not set any kind of referrer policy, then web browsers have traditionally defaulted to using a policy of \u2018no-referrer-when-downgrade\u2019, which trims the referrer when navigating to a less secure destination (e.g., navigating from https: to http:) but otherwise sends the full URL including <i>path<\/i>, and <i>query<\/i> information of the originating document as the referrer.<\/p>\n<p>&nbsp;<\/p>\n<h2>A new Policy for an evolving Web<\/h2>\n<p>The \u2018no-referrer-when-downgrade\u2019 policy is a relic of the past web, when sensitive web browsing was thought to occur over HTTPS connections and as such should not leak information in HTTP requests. Today\u2019s web looks much different: the web is on a path to <a href=\"https:\/\/blog.mozilla.org\/security\/2020\/11\/17\/firefox-83-introduces-https-only-mode\/\">becoming HTTPS-only<\/a>, and browsers are taking steps to <a href=\"https:\/\/blog.mozilla.org\/security\/2021\/02\/23\/total-cookie-protection\/\">curtail information leakage<\/a> across websites. It is time we change our default Referrer Policy in line with these new goals.<\/p>\n<p>&nbsp;<\/p>\n<div id=\"attachment_2708\" style=\"width: 2570px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-scaled.jpeg\"><img aria-describedby=\"caption-attachment-2708\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-2708 size-full\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-scaled.jpeg\" alt=\"\" width=\"2560\" height=\"1139\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-scaled.jpeg 2560w, https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-300x133.jpeg 300w, https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-600x267.jpeg 600w, https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-768x342.jpeg 768w, https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-1536x683.jpeg 1536w, https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-2048x911.jpeg 2048w, https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-1000x445.jpeg 1000w\" sizes=\"(max-width: 2560px) 100vw, 2560px\" \/><\/a><p id=\"caption-attachment-2708\" class=\"wp-caption-text\">Firefox 87 new default Referrer Policy \u2018strict-origin-when-cross-origin\u2019 trimming user sensitive information like path and query string to protect privacy.<\/p><\/div>\n<p>&nbsp;<\/p>\n<p>Starting with Firefox 87, we set the default Referrer Policy to \u2018strict-origin-when-cross-origin\u2019 which will trim user sensitive information accessible in the URL. As illustrated in the example above, this new stricter referrer policy will not only trim information for requests going from HTTPS to HTTP, but will also trim path and query information for all <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy\">cross-origin<\/a> requests. With that update Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience.<\/p>\n<p>If you are a Firefox user, you don\u2019t have to do anything to benefit from this change. As soon as your Firefox auto-updates to version 87, the new default policy will be in effect for every website you visit. If you aren&#8217;t a Firefox user yet, <a class=\"c-link\" href=\"https:\/\/www.mozilla.org\/firefox\/new\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-stringify-link=\"https:\/\/www.mozilla.org\/firefox\/new\/\" data-sk=\"tooltip_parent\">you can download it here<\/a>\u00a0to start taking advantage of all the ways Firefox works to improve your privacy step by step with every new release.&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; We are pleased to announce that Firefox 87 will introduce a stricter, more privacy-preserving default Referrer Policy. From now on, by default, Firefox will trim path and query string &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/\">Read more<\/a><\/p>\n","protected":false},"author":1842,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30,847],"tags":[],"coauthors":[454651,280776],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Firefox 87 trims HTTP Referrers by default to protect user privacy - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dimi Lee, Christoph Kerschbaumer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/\",\"name\":\"Firefox 87 trims HTTP Referrers by default to protect user privacy - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-scaled.jpeg\",\"datePublished\":\"2021-03-22T10:00:53+00:00\",\"dateModified\":\"2021-03-22T16:17:12+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/3bb65a4e89ae98e69f2e711f41855f5b\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-scaled.jpeg\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-scaled.jpeg\",\"width\":2560,\"height\":1139,\"caption\":\"Firefox 87 new default Referrer Policy \u2018strict-origin-when-cross-origin\u2019 trimming user sensitive information like path and query string to protect privacy.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Firefox 87 trims HTTP Referrers by default to protect user privacy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/3bb65a4e89ae98e69f2e711f41855f5b\",\"name\":\"Dimi Lee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c85005ca180442da575b26bf8d5be049\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/bd10912fd8637cc64f00edd465ca8b0d?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/bd10912fd8637cc64f00edd465ca8b0d?s=96&d=identicon&r=g\",\"caption\":\"Dimi Lee\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Firefox 87 trims HTTP Referrers by default to protect user privacy - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/","twitter_misc":{"Written by":"Dimi Lee, Christoph Kerschbaumer","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/","url":"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/","name":"Firefox 87 trims HTTP Referrers by default to protect user privacy - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-scaled.jpeg","datePublished":"2021-03-22T10:00:53+00:00","dateModified":"2021-03-22T16:17:12+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/3bb65a4e89ae98e69f2e711f41855f5b"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-scaled.jpeg","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2021\/03\/referrer-scaled.jpeg","width":2560,"height":1139,"caption":"Firefox 87 new default Referrer Policy \u2018strict-origin-when-cross-origin\u2019 trimming user sensitive information like path and query string to protect privacy."},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2021\/03\/22\/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Firefox 87 trims HTTP Referrers by default to protect user privacy"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/3bb65a4e89ae98e69f2e711f41855f5b","name":"Dimi Lee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/c85005ca180442da575b26bf8d5be049","url":"https:\/\/secure.gravatar.com\/avatar\/bd10912fd8637cc64f00edd465ca8b0d?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/bd10912fd8637cc64f00edd465ca8b0d?s=96&d=identicon&r=g","caption":"Dimi Lee"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2704"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1842"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2704"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2704\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2704"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}