[tbb-bugs] #17228 [Tor Browser]: Consideration for disabling referrers within TBB

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 12 20:27:50 UTC 2015


#17228: Consideration for disabling referrers within TBB
-----------------------------+----------------------
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  defect       |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |    Sponsor:
-----------------------------+----------------------

Comment (by cypherpunks):

 There are two preferences that can be combined in various ways to control
 and spoof the referer header.
 My favorite choices for different security levels:

 Lowest: no referrer restrictions (network.http.referer.XOriginPolicy=0)
 and no spoofing (network.http.referer.spoofSource=false)

 Medium-low: send referrer only if base domains match
 (network.http.referer.XOriginPolicy=1) but don't change it
 (network.http.referer.spoofSource=false)

 Medium-high: send referrer only if base domains match
 (network.http.referer.XOriginPolicy=1) and point it to the target url
 (network.http.referer.spoofSource=true)

 Highest: send referrer only if hosts match
 (network.http.referer.XOriginPolicy=2) and point it to the target url
 (network.http.referer.spoofSource=true)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17228#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list