Feature #246
closedDisable the Referer header when loading links on the same domain
0%
Description
This header doesn't provide any useful benefit to the user that can't be achieved in some other way, and it is a massive privacy leak.
Files
Updated by Soren Stoutner over 4 years ago
WebView's default behavior is to send a Referer header when the current domain and the requested domain match, but not if they are different.
This behavior is partially described at https://developer.android.com/reference/android/webkit/WebView#loadDataWithBaseURL(java.lang.String,%20java.lang.String,%20java.lang.String,%20java.lang.String,%20java.lang.String).
Updated by Soren Stoutner over 4 years ago
There are some websites that use the Referer header as a "security" feature to prevent direct download of files without first viewing the webpage.
As such, I will create a domain setting to allow selectively enabling the referer header, as well as some type of spoofing option.
None of this will be possible until Privacy WebView in the 4.x series because Android's WebView doesn't expose any controls for this externally.
Updated by Soren Stoutner over 4 years ago
- File Privacy Browser - No Referer.png Privacy Browser - No Referer.png added
- File Lightning - Referer.png Lightning - Referer.png added
- Status changed from New to Closed
- Priority changed from 4.x to Next Release
Adding custom headers to all links (https://redmine.stoutner.com/issues/584) has removed the Referer.
This can be tested using the following two URLs.
https://www.whatismyreferer.com/ does not show a Referer header even when linked from a search result. This is expected, as Google has not allowed cross-site Referer headers in WebView since I began developing Privacy Browser.
Loading https://browserleaks.com/ip from https://browserleaks.com/ also does not show a Referer header (see screenshot). This is opposed to Firefox 68.9.0 and Google Chrome 83.0.4103.106, which do. Interestingly, Lightning 5.1.0 sends a Referer header (see screenshot) but FOSS Browser does not (they both use the same WebView as Privacy Browser).
Updated by Soren Stoutner over 4 years ago
- Subject changed from Completely disable the Referer header to Disable the Referer header when loading links on the same domain
Note that Privacy Browser still sends the Referer header on resource requests. Fixing that problem won't be possible until https://redmine.stoutner.com/issues/586 with Privacy Browser.