The HTTP Referer header is a marketer’s dream, and a privacy nightmare all in one.
The header contains tracking information that organizations can use for statistical traffic analysis and naturally to promote services to the right audience. It started out by including just the last page the user visited, supposedly a page referring to your website. Over time, more personal information has crept into the header making security engineers and privacy watchers uneasy.
Mozilla has apparently decided to do something about it, and today announced a new feature called the meta referrer that changes the Referer header, putting more controls on what’s sent out. The feature is present in the Firefox 36 Beta.
“Now your HTML documents can include a meta tag that specifies one of many referrer policies for the document to change what Firefox sends in the Referer header, and when it is sent,” wrote Sid Stamm, Mozilla principal security and privacy engineer.
Stamm said users can choose from multiple policies that specify what data is sent, or to suppress referrers entirely.
“This HTTP header has become quite problematic and not very useful, so we’re working to make it better,” Stamm said. “HTTP Referer provides a wealth of information about where you came from to the sites you visit, but this context isn’t always necessary (or desired). In addition, it is an unreliable tool for authenticating the origin of an HTTP request unless it’s always present, which it’s not due to privacy concerns (HTTPS sessions should not leak URLs to HTTP).”
Stamm said many organizations were hacking the URL structure with direct loads, redirects and frames in order to change the referrer to something with less personal information.
“What’s needed is a better way for referring sites to reduce the amount of data transmitted and thus providing a more uniform referrer that’s less privacy invasive,” Stamm said.
It’s unclear yet when meta referrer will end up in a stable release of the Firefox browser.
Mozilla this week released the latest version of Firefox, patching nine security vulnerabilities along the way.
One of the vulnerabilities patched in Firefox 35 was a Gecko Media Plugin sandbox escape, when if combined with another GMP vulnerability, could enable an attacker to bypass the GMP sandbox running on Windows computers. The sandbox is apparently only used to host H.264 video playback and the bug would spared OS X and Linux.
Descriptions of the nine vulnerabilities, in particular three rated critical by Mozilla, were posted online.