In a small and partly symbolic tweak, the Firefox browser’s Private Browsing Mode is to stop passing websites the data that identifies the last web page a user visited.
Currently, when a user clicks on a link to visit a new website in any leading browser, that site is told the address of the page the visitor is coming from – the referring URL – via the (yes, misspelled) HTTP Referer header.
For example, if you visited Naked Security from our recent post about Intercept X on the Sophos News site, Naked Security would be passed the following:
Referer: https://news.sophos.com/en-us/2018/02/02/intercept-x-the-executives-view/
In some cases the referrer value can reveal a lot about a user’s interests, and it’s not just the web page you’re visiting that gets to see it. These days, many websites embed code from third parties, to perform tasks like web analytics or advertising, and they also get to see the referrer data.
In 2015, a study by Timothy Libert, a doctoral student at the University of Pennsylvania, found that nine out of ten visits to health-related web pages result in data being leaked to third parties like Google, Facebook and Experian.
The most infamous example of leaky Referer headers is probably the US government’s healthcare.gov website (the sign-up system for the US Affordable Care Act) which, thanks to URLs like the one below, could leak information about whether users were pregnant or a smoker; as well as their age, salary and zip code.
Referer: https://www.healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&pregnant=1&zip=85601&state=AZ&income=35000
Using Firefox 59’s privacy mode, that same address will have the path information shorn from the URL, passing only:
Referer: https://www.healthcare.gov/
But here’s the rub. First, Firefox will only remove path information in privacy mode and not when using the main browser itself.
Second, intriguingly, Firefox users have been able to turn off information about the referring page for more than 15 years, by delving into the browser’s about:config screen (read this document for Mozilla’s explanation of these settings).
Be warned though – turning off referrer data could break some websites.
This still begs the question of why Mozilla has had a burst of enthusiasm for the concept now.
The answer might be that Mozilla had an epiphany regarding privacy, the result of which was November’s Firefox Quantum overhaul. This boasted a range of security and privacy enhancements, which are being added to with every point release.
Removing the referrer path in privacy mode is unlikely to have a major impact on Firefox user’s privacy but it does remind users that its existence is a risk they should at least pay attention to.
For years, privacy has been taken for granted, or at least the lack of it accepted as a necessary sacrifice so the web could work for website owners. Countering this philosophy could turn out to be the fuel for Firefox’s second coming.
Spryte
I’ve made life difficult for myself by ‘Copying’ the link, stripping out the unwanted code then pasting a new window. Especially useful when using links embedded in emails as it gets rid of all those details.
Anonymous
Why do you have a picture of a red panda on an article about Firefox?
Paul Ducklin
Because a firefox *is* a red panda. (A firefox is not a fox. It’s a type of panda, after which the product was named. True!)
Wilbur
From the first link you posted: “Starting with Firefox 59, Private Browsing will remove path information from referrer values sent to third parties (i.e. technically, setting a Referrer Policy of strict-origin-when-cross-origin).” – so, apparently, this block only applies to third parties, not the destination website itself.
It also says “In Firefox Regular and Private Browsing Mode, if a site specifically sets a more restrictive or more liberal Referrer Policy than the browser default, the browser will honor the websites request since the site author is intentionally changing the value.”. It sounds to me as if the new change doesn’t really do anything since website authors can overrule this setting at will.
I do as Spryte mentioned for websites I don’t trust (which is most websites), I copy URLs to the clipboard, paste into a text editor, sanitize and then copy/paste into a browser. I use a blank page as my “home page” and always go to the next website via the blank page by either pasting the sanitized URL or using a bookmark.
It isn’t paranoia, its a feeble push-back at today’s complete disregard for privacy.
RichardD
“website authors can overrule this setting at will”
The important point being that the author of the *source* website has to overrule the setting. The site receiving the “referer” header has no control over the policy.
And it’s not always about privacy. For example, certain payment gateways validate the “referer” header for an exact match to a configured value as an additional security check. As I found out when Chrome made a similar change last year, and the gateway started rejecting the redirection to the payment pages from one of our sites.
Mark Sitkowski
This will cause a lot of false positives with IDS/IPS systems. Ours reports a hack attempt to the owner of the IP{ address, if it see a blank User-agent and Referer. It also drops the connection and blocks the address, so good luck using this feature.
Paul Ducklin
Blocklisting someone as a hacker for not setting the Referer: header seems a bit harsh. Would you be happier with a bogus Referer: field instead?