Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Understanding Referrer-Policy header |
|
| Author |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
 Posted: Tue 25 Apr '17 6:23 Post subject: |
 |
|
If they follow a link from your page to mine, I will not know where it came from. If someone follows a link on a page of mine to your site, you will not know where they came from.
But there are the caveats so it's not that simple but it's a close enough explanation.
Personally, I do not like this policy and quite frankly don't understand the security implications of allowing another site to know a visitor came from a link on mine, other than that site owner follows it to my malware infested attack site that I do not have. If they don't have the sense to surf securely, too bad so sad.
I believe it is still just a draft RFC and hopefully simply dies a silent death and never makes it passed draft stage. |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Tue 25 Apr '17 14:50 Post subject: |
|
|
I think it is to do with browser privacy though.
For example some links on websites like facebook will have the profile name you are looking at and viewing before navigating away.
Other URL's and Link's even on HTTPS/SSL sites will have some URL like this.
| Code: |
myshitsite.com/myaccount.php?username=Administrator&password=Holyfuck&i-can-be-seen-in-refferer-url=true
|
I see it as good from a security perspective to stop the websites you visit seeing your referrer and protecting users account data for your site as well as privacy reasons. It is a big violation to privacy since users don't like people knowing they just came from watching porn, stalking a ex boyfriend or girlfriends profile or cheating on their partner in a dating chatroom etc the list can go on.
All session data in a URL can be leaked via the referrer it holds allot more positive benefits than negative. Especially if you just came from your online banking website.
Hell I am sure if i went through the referrers client browsers have present like chrome, firefox etc on my servers logs I would find plenty of url's like the one above from websites that think HTTPS/SSL is protecting their user accounts.
It is unwillingly/unknowingly sending every webmaster and webserver in the world that you visit your private information.
I love this new header and I set it to "no-referrer", none of the sites on my servers will be at risk to this kind of privacy leak. The only browsers that will be at risk will be outdated ones and browsers that do not respect the web standard and read or follow/abide by what this header tells them to do. I also have zero need to see their private referrer details for my own sites in my logs so "no-referrer" is the best setting for me. If i want to see their referrer in my own logs for debugging purposes of problems i would set "same-origin". |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Tue 25 Apr '17 20:30 Post subject: |
|
|
If I go to your site from a porn site do I care if you know? Not really. If I did I can always copy the link and paste in a new tab and you will not get a referrer, not even on old browsers that do not support this feature.
Google and others follow everyone around all over the web and it's the corporations I am much more concerned about.
So in my view this only hurts the little guys. But hey, to each his own.
I am glad Steffen doesn't use this yet. Downloads on my site that I post here may not stick around very long, or get moved into a permanent location. At least I can see where they came from and edit my posts and change/remove old dead links. Where are you mod_spamhaus? |
|
| Back to top |
|
C0nw0nk
Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London
|
| Posted: Tue 25 Apr '17 22:04 Post subject: |
|
|
This helps protect users from information disclosure of sensitive links containing private info at least.
Maybe they will come up with something for tracking next to stop Google and everyone with their IP and tracking cookies they store on your browser for us to use server side.
They do have a client side feature to prevent tracking in firefox, chrome etc but i bet majority of servers and sites do not even respect this header. *CIA, FBI*
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/DNT
Even www.cloudflare.com has a tracking cookie to track you across their network its their cfuid cookie when ever you visit any website behind cloudflare's cdn. |
|
| Back to top |
|
|
|
|
|
|
