-
Notifications
You must be signed in to change notification settings - Fork 0
HTTP Referer spoofing
xulBlock Advanced (xBA) has the ability to filter every HTTP Referer and spoof those of requests to 3rd-party domains. The spoofed value will always be the scheme + hostname of the request recipient.
This method provides the same privacy benefit as removing the Referer value. But spoofing has the advantage of being less likely to break websites, as explained here.
xBA uses a combination of global and per-site rules, providing the flexibility to always spoof except when needed to prevent breakage.
Thus I recommend using your browser's default Referer settings and relying on xBA for all filtering. Browser policies are all-or-nothing, lacking the per-site flexibility of xBA.
I visit a page on site 1, which needs to fetch an image from site 2 with a URL of http://img.site2.com/archive/foo.jpg. So my browser will generate a new HTTP request message to fetch the image, and let's assume that site 1 is okay with the browser's default policy to populate the Referer field with the URL of the current page. (In other words, site 2 will know that foo.jpg was requested by this particular page on site 1.)
However, before the request can be sent, xBA filters it and knows that site 2 is a 3rd-party destination. Since I have a rule to spoof to site 2, xBA will change the Referer value to http://img.site2.com/.
When site 2 receives the request with the spoofed Referer, it cannot know that the request originated from site 1.
So you can see that having xBA spoof every 3rd-party request will provide a substantial overall privacy benefit.
Enable global 3rd-party Referer spoofing by clicking the check box on the Settings tab of the dashboard. This will add the global rule to the My rules tab of the dashboard:
spoof-3p-referer-to: * true
Then you can disable spoofing for specific recipient hostnames, such as:
spoof-3p-referer-to: virustotalcloud.appspot.com false
You can also use a base domain:
spoof-3p-referer-to: example.com false
For any hostname or domain set to false, all 3rd-party traffic to it will receive the sending site's actual Referer.
Referer filtering is a special operation that cannot be logged the same way as regular request filtering. I wanted the ability to see every Referer, in part as a learning tool to become more familiar with how websites use them, so I opted to log them in the Browser Console. This way they can be viewed in conjunction with the Logger to have a full picture of all request filtering activity.
Note that:
- Console Log message types must be enabled to see Referer activity.
- Referer activity is only logged to the Console whenever the Logger is opened. This keeps all xBA logging fully consistent and doesn't unnecessarily clutter the Console.
- The spoofed value is not explicitly logged because it always is the scheme + hostname of the request recipient, which is in the second URL logged for each Console entry.
- The first URL value is the original Referer, prior to xBA spoofing it. It's important to log this to know what it would have been or might need to be in case of site breakage.
Tip: use the Console's text filter bar, e.g. 'spoof' or 'referer'.
By default, only spoofed Referers are logged to the Console.
These two Advanced settings can adjust logging behavior:
logEveryHttpReferer is default false, but when set to true xBA will log the Referers of every sent request. This can be useful for troubleshooting or as a learning aid. But it's usually unnecessary and will clutter the Console.
logTruncatedRefererResource is default true, which truncates logged destination URLs longer than 100 characters. This is the second URL for each logged Console entry, which is also the same URL in the Logger for each request; thus the full value is redundant in the Console.
Note, however, that the original Referer value is never truncated in the Console. It's important to always log this full value.