logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Understanding Referrer-Policy header

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Tue 25 Apr '17 2:19    Post subject: Understanding Referrer-Policy header Reply with quote

So this header has me slightly finding it hard to understand.

https://securityheaders.io/?q=apachelounge.com&followRedirects=on

https://www.w3.org/TR/referrer-policy/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
https://scotthelme.co.uk/a-new-security-header-referrer-policy/


All I really want to know for those of us who run sites where referrer traffic can come from any origin and does not matter what should the value of this header be should the header even be present if we don't care about referrers.


From my understanding it is the header the browser will have when a user navigates away or from page to page of your site. So if you set "no-refferer" as the value the clients web browser should never send any referrer header ? So when I check my logs all requests from one page to the next should all say empty / blank referrer.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Tue 25 Apr '17 6:23    Post subject: Reply with quote

If they follow a link from your page to mine, I will not know where it came from. If someone follows a link on a page of mine to your site, you will not know where they came from.

But there are the caveats so it's not that simple but it's a close enough explanation.

Personally, I do not like this policy and quite frankly don't understand the security implications of allowing another site to know a visitor came from a link on mine, other than that site owner follows it to my malware infested attack site that I do not have. If they don't have the sense to surf securely, too bad so sad.

I believe it is still just a draft RFC and hopefully simply dies a silent death and never makes it passed draft stage.
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Tue 25 Apr '17 14:50    Post subject: Reply with quote

I think it is to do with browser privacy though.

For example some links on websites like facebook will have the profile name you are looking at and viewing before navigating away.

Other URL's and Link's even on HTTPS/SSL sites will have some URL like this.
Code:

myshitsite.com/myaccount.php?username=Administrator&password=Holyfuck&i-can-be-seen-in-refferer-url=true


I see it as good from a security perspective to stop the websites you visit seeing your referrer and protecting users account data for your site as well as privacy reasons. It is a big violation to privacy since users don't like people knowing they just came from watching porn, stalking a ex boyfriend or girlfriends profile or cheating on their partner in a dating chatroom etc the list can go on.

All session data in a URL can be leaked via the referrer it holds allot more positive benefits than negative. Especially if you just came from your online banking website.


Hell I am sure if i went through the referrers client browsers have present like chrome, firefox etc on my servers logs I would find plenty of url's like the one above from websites that think HTTPS/SSL is protecting their user accounts.

It is unwillingly/unknowingly sending every webmaster and webserver in the world that you visit your private information.


I love this new header and I set it to "no-referrer", none of the sites on my servers will be at risk to this kind of privacy leak. The only browsers that will be at risk will be outdated ones and browsers that do not respect the web standard and read or follow/abide by what this header tells them to do. I also have zero need to see their private referrer details for my own sites in my logs so "no-referrer" is the best setting for me. If i want to see their referrer in my own logs for debugging purposes of problems i would set "same-origin".
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Tue 25 Apr '17 20:30    Post subject: Reply with quote

If I go to your site from a porn site do I care if you know? Not really. If I did I can always copy the link and paste in a new tab and you will not get a referrer, not even on old browsers that do not support this feature.

Google and others follow everyone around all over the web and it's the corporations I am much more concerned about.

So in my view this only hurts the little guys. But hey, to each his own.

I am glad Steffen doesn't use this yet. Downloads on my site that I post here may not stick around very long, or get moved into a permanent location. At least I can see where they came from and edit my posts and change/remove old dead links. Where are you mod_spamhaus?
Back to top
C0nw0nk



Joined: 07 Oct 2013
Posts: 241
Location: United Kingdom, London

PostPosted: Tue 25 Apr '17 22:04    Post subject: Reply with quote

This helps protect users from information disclosure of sensitive links containing private info at least.

Maybe they will come up with something for tracking next to stop Google and everyone with their IP and tracking cookies they store on your browser for us to use server side.

They do have a client side feature to prevent tracking in firefox, chrome etc but i bet majority of servers and sites do not even respect this header. *CIA, FBI*

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/DNT

Even www.cloudflare.com has a tracking cookie to track you across their network its their cfuid cookie when ever you visit any website behind cloudflare's cdn.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1