Is my understanding correct that this is just for the default, and I can restore the old behavior for my websites by including <meta name="referrer" content="unsafe-url">? If so I am fine with it, except for the fact that name is unfortunate: what is unsafe about unsafe-url?
It doesn’t matter 90% of time but it may leak a few sensitive info such as access token.
Site like docusign/dropbox generate links like that has something like ?token=unique-token-here anyone know that token can view that content. If browser send full referrer header, now the third party service has that token in their log.
So it’s always a good practice to trim down. Obviously if you are sure you have no sensitive information in the URL then you’re fine.
One way to fix this is once you see ?token=, you set it in session and immediately redirect to another page. Never ever render a full HTML page with sensitive token.
Obviously if you are sure you have no sensitive information in the URL then you’re fine.
It is a bad idea to be sure of this. You don’t know what kind of situation your reader is in - they could be a domestic violence situation, politically persecuted, or otherwise in a dangerous environment. Leaking what page they were reading on your site might be a huge problem for them, even if you (or I!) can’t see what problem that might be. Err on the side of caution.
If you absolutely insist on overriding Firefox’s new default, then at least please don’t set it to send a full Referrer even over plaintext connections, where any casual adversary on the network could get at it.
Is my understanding correct that this is just for the default, and I can restore the old behavior for my websites by including
<meta name="referrer" content="unsafe-url">? If so I am fine with it, except for the fact that name is unfortunate: what is unsafe about unsafe-url?It doesn’t matter 90% of time but it may leak a few sensitive info such as access token.
Site like docusign/dropbox generate links like that has something like
?token=unique-token-hereanyone know that token can view that content. If browser send full referrer header, now the third party service has that token in their log.So it’s always a good practice to trim down. Obviously if you are sure you have no sensitive information in the URL then you’re fine.
One way to fix this is once you see
?token=, you set it in session and immediately redirect to another page. Never ever render a full HTML page with sensitive token.It is a bad idea to be sure of this. You don’t know what kind of situation your reader is in - they could be a domestic violence situation, politically persecuted, or otherwise in a dangerous environment. Leaking what page they were reading on your site might be a huge problem for them, even if you (or I!) can’t see what problem that might be. Err on the side of caution.
If you absolutely insist on overriding Firefox’s new default, then at least please don’t set it to send a full Referrer even over plaintext connections, where any casual adversary on the network could get at it.
It leaks information about your visitors to third-parties.
I want to “leak” that information so that third parties are informed where they are linked from.
I think the point is that your readers may not want the same thing.
Yeah, it’s not unsafe for the website author. It’s unsafe for the user.