[tbb-bugs] #17228 [Tor Browser]: Consideration for disabling referrers within TBB
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Oct 12 20:27:50 UTC 2015
#17228: Consideration for disabling referrers within TBB
-----------------------------+----------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: | Sponsor:
-----------------------------+----------------------
Comment (by cypherpunks):
There are two preferences that can be combined in various ways to control
and spoof the referer header.
My favorite choices for different security levels:
Lowest: no referrer restrictions (network.http.referer.XOriginPolicy=0)
and no spoofing (network.http.referer.spoofSource=false)
Medium-low: send referrer only if base domains match
(network.http.referer.XOriginPolicy=1) but don't change it
(network.http.referer.spoofSource=false)
Medium-high: send referrer only if base domains match
(network.http.referer.XOriginPolicy=1) and point it to the target url
(network.http.referer.spoofSource=true)
Highest: send referrer only if hosts match
(network.http.referer.XOriginPolicy=2) and point it to the target url
(network.http.referer.spoofSource=true)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17228#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list