Privacy Tip #3: Block Referer Headers in Firefox
When you follow a link from one page or site to another, the browser usually sends a Referer [sic] header to the server to tell sites where you came from:
GET /test.phtml HTTP/1.1 Host: cafe.elharo.com User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051130 Firefox/1.5 Referer: http://blog.elharo.com/blog/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive
In general this is a good thing. However, unscrupulous sites can and do abuse this information to violate visitors’ privacy and track them across the Web. In combination with cookies, it’s especially dangerous. In Firefox, you can disable the sending of the Referer header completely, and in general I recommend you do so. Here are the steps:
- Type “about:config” in the location bar, and press return.
- In the filter box, type “referer” and press return. This should leave you with one preference,
network.http.sendRefererHeader. This is probably set to 2. - Right click on
network.http.sendRefererHeaderand select “Modify”
- In the dialog that appears type “0″ and press OK:
- Close the window.
This completely disables the referer header. This is normally what you want, though it may occasionally break a few sites that check the referer header to prevent deep linking or framing of its content. (It breaks WordPress, for example.)
If you run into problems, try setting sendRefererHeader to 1 instead. Setting it to 1 sends a referer header when following a link to another page, but not when loading images on the page. This will block most cross-site cookie tracking, but still allow WordPress and most other sites that depend on referers to function. Setting sendRefererHeader to 2 (the default) sends it when following links and when loading images on the page.
There’s also a boolean network.http.sendSecureXSiteReferer preference. If true, referer headers are sent for https the same as they are for http (i.e. controlled by network.http.sendRefererHeader). If false, referer headers are not sent for https connections. The default is true, and that’s probably OK; but if you like you can set this to false by toggling the value:
That’s it. You’re done. Taking these steps significantly reduces the ability of sites to track and profile you.
October 24th, 2006 at 8:24 am
Rather than blocking the Referer header for images, wouldn’t it be better to disable cookies on images?
Many sites check the Referer tag to prevent image hotlinking. I had the problem especially with MySpace and LiveJournal users hotlinking to my higher resolution photos, so I setup Apache mod_rewrite to “deter” it. Given the number of tutorials I found on the topic, I suspect its a popular technique.
December 4th, 2006 at 4:57 am
[...] Fonte: cafe.elharo.com [...]
May 30th, 2007 at 11:53 am
[...] network.http.sendRefererHeader (default=2) 设置Refererçš„å‘é€æ–¹å¼ï¼Œ0为完全ä¸å‘é€ï¼Œ1为åªåœ¨ç‚¹å‡»é“¾æŽ¥æ—¶å‘é€ï¼Œåœ¨è®¿é—®é¡µé¢ä¸çš„图åƒä»€ä¹ˆçš„时候ä¸å‘é€ï¼Œ2为始终å‘é€ã€‚å‚è§Privacy Tip #3: Block Referer Headers in Firefox [...]
September 26th, 2007 at 12:08 am
[...] network.http.sendRefererHeader (default=2) 设置Refererçš„å‘é€æ–¹å¼ï¼Œ0为完全ä¸å‘é€ï¼Œ1为åªåœ¨ç‚¹å‡»é“¾æŽ¥æ—¶å‘é€ï¼Œåœ¨è®¿é—®é¡µé¢ä¸çš„图åƒä»€ä¹ˆçš„时候ä¸å‘é€ï¼Œ2为始终å‘é€ã€‚å‚è§Privacy Tip #3: Block Referer Headers in Firefox [...]
October 23rd, 2007 at 7:52 am
Many sites use this value to check what page you were on so they can direct you to the next page - for example at the checkout. Worst case scenario - your card is charged and the software crashes expecting HTTP_REFERRER to be set so you never get your order.
All HTTP_REFERRER does is transmit the url of the page you came from. I hardly call that tracking you ‘across the Web’ as the author claims. The MOST it will reveal about your browsing activities to the website owner is the url of the last page you visited before you entered their site (i.e. the url of the page with the link to their site on it) or the URL of pages deep link to their content.
There is such a thing as too much paranoia………
January 6th, 2008 at 12:39 am
There’s also such a thing as wanting to suppress information, even if you personally don’t see the point. I use logins with URL’s, I don’t really know if those’re carried over, or the path to admin folders that may not be properly configured.
Perhaps someone visits a site they don’t necessarily want everyone to know, is it relevant to every site I visit that I was just at rapesurvivors.net or how about gay.com? Should that be set as a cookie or just logged along with my IP address on the server to build a browsing history retrievable in seconds from the logs? Then if the site also has registration, you can just tie the registration info to the IP and that to the history.
I believe it’s required for cafepress sites among others, so you can force this. Just because YOU wouldn’t use it for social manipulation or harassment, that doesn’t mean you represent everyone.
April 10th, 2008 at 11:13 am
Remember also, that referer information is ONLY passed through clicking a link! That’s right, you can copy the URL to the address bar and the next site will not know where you came from. Neither does it work if you type any address on the address bar.
April 10th, 2008 at 12:49 pm
[...] Source: The Cafes. [...]
June 8th, 2008 at 11:19 am
so next time I go shopping at Target, I’ll go to the manager and tell him - hay I just came from walmart.
June 14th, 2008 at 3:40 pm
@bloogie: In a real life sense, this would only make sense if Walmart had actually told you to go to Target. It does make sense in real life in some occasions, even if it is not really necessary (the same thing as here).
For instance, I need to book a hotel. I go to Days Inn and they tell me that they are out of rooms, but Holiday Inn has a room for me. I go to Holiday Room and told them that Days Inn just sent me here and I would like a room. While not necessary per se, it just makes sense.
Your example would not be how a referer works. A referer only happens in server logs when you click a link to go from one website to another. If I type in http://yahoo.com/ and then http://google.com/, Google would not know I got to their website after visiting Yahoo!. But if I clicked a link at http://yahoo.com/ to go to http://google.com, Google would know I got to their site via Yahoo!.
July 18th, 2008 at 6:26 pm
Is there a way to configure a link on my site to block the referer header - for instance, if I manage gay.com and have links to homophobia.com on my site - could I protect the privacy of my visitors?
October 8th, 2008 at 3:51 pm
@Jason:
Yes, prefix the url with http://www.de-referer.com/?, thus the link would become:
http://www.de-referer.com/?http://de-referer.com/homophobia.com
October 18th, 2008 at 9:14 am
Does anybody know wether Firefox sends the referrer when you open a link in a new tab by right-clicking and selecting “open in new tab”?