I was annoyed recently when I discovered that the Mozilla/Firebird/Firefox sidebars send referrer headers when you click on links in them. In fact, they don't send the referrer as the page loaded in the sidebar, but as the page loaded in the main browser window! That seems to me to be a pretty big privacy problem, since other sites you visit can see whatever page you're browsing if you happen to click on a link in your sidebar. It can even be a security hole if session ids are in the URL (as they never should be, but that's another issue).
There's a bug filed for this exact issue, bug 226548. Bug 122668 is a semi-related bug. Judging by this original bug, bug 137342, it seems that this has been a known bug for almost two years, at least, with no sign of getting fixed soon. I'd like to poke around in the source code, but I have no clue where to even start looking.
It seems there's a preference to turn off referrers altogether, so I may just use that. But it's a shame to have to go that far to fix this one broken feature.
user_pref("network.http.sendRefererHeader", 0);
0 = do not send header information
1 = send only clicks
2 = enabled
(about:config is your friend.) Though, I'm not sure what the difference between 1 and 2 are. Ahh, 2 sends on image requests and such.
Hmm... also see http://refspoof.mozdev.org/
Update: The nice side-effect of this is that now I stop getting annoying referrers when I use my javascript bookmarklet to post to my bookmarks collection (which I'll be making public in a few days once I get a few more features -- such as renaming -- into it).
Wednesday, March 3, 2004
Permalink
Hi,
I'm trying to find a user_pref to disable the sidebar altogether so that when the browser launches, it's always closed.
Your httpreferr problem seems to lurk close, so perhaps you know something. Any ideas?
Thanks
john