Feature #246
closed
Disable the Referer header when loading links on the same domain
Added by Soren Stoutner almost 7 years ago.
Updated over 4 years ago.
Description
This header doesn't provide any useful benefit to the user that can't be achieved in some other way, and it is a massive privacy leak.
Files
There are some websites that use the Referer header as a "security" feature to prevent direct download of files without first viewing the webpage.
As such, I will create a domain setting to allow selectively enabling the referer header, as well as some type of spoofing option.
None of this will be possible until Privacy WebView in the 4.x series because Android's WebView doesn't expose any controls for this externally.
Adding custom headers to all links (https://redmine.stoutner.com/issues/584) has removed the Referer.
This can be tested using the following two URLs.
https://www.whatismyreferer.com/ does not show a Referer header even when linked from a search result. This is expected, as Google has not allowed cross-site Referer headers in WebView since I began developing Privacy Browser.
Loading https://browserleaks.com/ip from https://browserleaks.com/ also does not show a Referer header (see screenshot). This is opposed to Firefox 68.9.0 and Google Chrome 83.0.4103.106, which do. Interestingly, Lightning 5.1.0 sends a Referer header (see screenshot) but FOSS Browser does not (they both use the same WebView as Privacy Browser).
- Subject changed from Completely disable the Referer header to Disable the Referer header when loading links on the same domain
Also available in: Atom
PDF
