Project

General

Profile

Feature #246

Disable the Referer header when loading links on the same domain

Added by Soren Stoutner over 2 years ago. Updated about 1 month ago.

Status:
Closed
Priority:
Next Release
Start date:
02/02/2018
Due date:
% Done:

0%

Estimated time:

Description

This header doesn't provide any useful benefit to the user that can't be achieved in some other way, and it is a massive privacy leak.


Files

Privacy Browser - No Referer.png (357 KB) Privacy Browser - No Referer.png Soren Stoutner, 06/22/2020 06:20 PM
Lightning - Referer.png (437 KB) Lightning - Referer.png Soren Stoutner, 06/22/2020 06:20 PM

History

#1

Updated by Soren Stoutner about 2 months ago

WebView's default behavior is to send a Referer header when the current domain and the requested domain match, but not if they are different.

This behavior is partially described at https://developer.android.com/reference/android/webkit/WebView#loadDataWithBaseURL(java.lang.String,%20java.lang.String,%20java.lang.String,%20java.lang.String,%20java.lang.String).

#2

Updated by Soren Stoutner about 2 months ago

There are some websites that use the Referer header as a "security" feature to prevent direct download of files without first viewing the webpage.

As such, I will create a domain setting to allow selectively enabling the referer header, as well as some type of spoofing option.

None of this will be possible until Privacy WebView in the 4.x series because Android's WebView doesn't expose any controls for this externally.

#3

Updated by Soren Stoutner about 1 month ago

Adding custom headers to all links (https://redmine.stoutner.com/issues/584) has removed the Referer.

This can be tested using the following two URLs.

https://www.whatismyreferer.com/ does not show a Referer header even when linked from a search result. This is expected, as Google has not allowed cross-site Referer headers in WebView since I began developing Privacy Browser.

Loading https://browserleaks.com/ip from https://browserleaks.com/ also does not show a Referer header (see screenshot). This is opposed to Firefox 68.9.0 and Google Chrome 83.0.4103.106, which do. Interestingly, Lightning 5.1.0 sends a Referer header (see screenshot) but FOSS Browser does not (they both use the same WebView as Privacy Browser).

#4

Updated by Soren Stoutner about 1 month ago

  • Subject changed from Completely disable the Referer header to Disable the Referer header when loading links on the same domain

Note that Privacy Browser still sends the Referer header on resource requests. Fixing that problem won't be possible until https://redmine.stoutner.com/issues/586 with Privacy Browser.

Also available in: Atom PDF