HTTP Referral Headers

From Meta, a Wikimedia project coordination wiki
Jump to: navigation, search

Wikimedia websites send the domain information (for example "en.wikipedia.org" or "commons.wikimedia.org") to other websites via the HTTP referrer header behaviour -- a function of browsers. This enables browsers to send domain information to other websites when you click from url's or links on Wikimedia projects. This information allows for aggregated tracking by the receiving website of where incoming traffic to websites comes from.

As part of their individual evaluation of privacy and risk, some individuals might conclude that this information is too sensitive to be sent. If you would like less exposure of your browsing behavior, the Wikimedia Foundation recommends that you use a browser-based solution. This is a highly-effective way to exercise direct control over your browser privacy both for Wikimedia sites and on other websites. The tools below allow control over the amount of referrer information presented to websites when a link is clicked. They function as extensions to the web browser and for the most part work transparently without user interaction after initial configuration.

The list contains a few recommendations as surveyed by the Wikimedia Foundation Security Team as of June 23, 2017. The tools were reviewed and verified to work as advertised in their respective documentation. The choice of which tool to use is a subjective one based on individual user needs and care should be taken the ensure that selection of a tool matches your individual threat model well.

Google Chrome/Chromium[edit]

Referer Control[edit]

By Keepa.com

https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin

Referer Control allows fine-grained control over transmitted referrer information based on request type and origin. Rules may be specified based on site from which a link originates, site to which a link is destined, and whether the link is considered third party. The tool also supports blocking of the document.referrer JavaScript property, and creation of rules via context menu click (right click/two-finger click) on the pertinent page.

The tool works by modifying outgoing HTTP requests before they leave the browser, and in some use cases, injecting a meta tag.

The tool is mature and kept up to date, with a large number of users and high ratings in the Chrome App Store.

NOTE: This tool’s configuration page loads third-party content (in the form of a Paypal donation appeal and a Disqus thread) which may reveal the fact that the user is using the tool. Additionally, when the tool is configured to supply a random referrer value, the limited character set from which values are chosen may reveal the fact that the user is using the tool.

ScriptSafe[edit]

By andryou.com

https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf

This tool offers many more security/privacy options Referer Control, but less actual control of referrers themselves. The tool allows for setting a specific referrer for all requests.

The tool appears visibly more complex, with related settings on separate tab.

The tool is mature and kept up to date, with a large number of users and high ratings in the Chrome App Store.

Firefox[edit]

Referer Control[edit]

https://addons.mozilla.org/en-US/firefox/addon/referercontrol/

This tool is developed by Keepa.com for both Chrome and Firefox. See the Chrome above for details.

RefControl[edit]

https://addons.mozilla.org/en-US/firefox/addon/refcontrol/

RefControl is a widely-used extension providing the ability to specify per domain referrer policy, as well as default behavior when no policy for a given domain has been configured.

The tool works by modifying outgoing HTTP requests before they leave the browser.

NOTE: This is one of the oldest tools available for Firefox, and appears unmaintained at this time. It has also been noted to be incompatible with multiprocess Firefox, however our testing did not encounter problems with the tool. Unless updated, this extension will no longer function as of Firefox 57.

Manual Preference Setting[edit]

Using the “about:config” settings tool in Firefox, referrer transmission may be manually enabled or disabled. See http://kb.mozillazine.org/Network.http.sendRefererHeader for details.

Internet Explorer[edit]

The Security team did not locate any tools for Internet Explorer which allow control of the referrer header.

Opera[edit]

Opera has built-in support for disabling referrer exposure: http://www.opera.com/help/tutorials/security/control/#referrer

Safari[edit]

The Security team did not locate any tools for Safari which allow control of the referrer header.

General Security Options[edit]

If your preferred browser does not have a recommended plug-in or you plan to use multiple browsers concurrently, proxies can also mask your browsing behaviour from websites.