add Firefox about_config values for Referer #340

2017-09-27T01:35:27Z

groovecoder commented

2017-09-27 01:35:27 +00:00

(Migrated from github.com)

Description

Add suggested values for network.http.referer.XOriginPolicy and network.http.referer.XOriginTrimmingPolicy

HTML Preview

http://htmlpreview.github.io/?https://github.com/groovecoder/privacytools.io/blob/about-config-referer/index.html

### Description Add suggested values for `network.http.referer.XOriginPolicy` and `network.http.referer.XOriginTrimmingPolicy` ### HTML Preview http://htmlpreview.github.io/?https://github.com/groovecoder/privacytools.io/blob/about-config-referer/index.html

kewde commented

2017-10-01 10:34:40 +00:00

(Migrated from github.com)

I wasn't aware about these configuration settings, thanks!

kewde commented

2017-10-01 10:42:03 +00:00

(Migrated from github.com)

Is there a particular reason why you set network.http.referer.XOriginPolicy to 1 instead of 2?

1: a.example.com and b.example.com would be allowed
2: only b.example.com & b.example.com would be allowed

Seems like the second option is even more secure, but maybe at the expense of functionality.

Is there a particular reason why you set `network.http.referer.XOriginPolicy` to 1 instead of 2? 1: a.example.com and b.example.com would be allowed 2: only b.example.com & b.example.com would be allowed Seems like the second option is even more secure, but maybe at the expense of functionality.

groovecoder commented

2017-10-01 12:21:27 +00:00

(Migrated from github.com)

Right; 1 would seem to break fewer things. When we studied its effect on user-reported breakage, it seemed to be minimal. We didn't study 2 yet, but we probably will. I'll update here again if 2 seems just as good.

Right; `1` would seem to break fewer things. When [we studied its effect on user-reported breakage](https://docs.google.com/presentation/d/1OVtXAnyeBLX2N1yyZoTMP9AV_6HnI3mnXwIFlOL7yOA/edit#slide=id.g251dbe7f10_0_14), it seemed to be minimal. We didn't study `2` yet, but we probably will. I'll update here again if `2` seems just as good.

groovecoder commented

2017-10-01 12:24:11 +00:00

(Migrated from github.com)

Sorry I had my settings crossed. We didn't actually study XOriginPolicy effects on breakage. But the assumption is the same - referers to eTLD will presumably break fewer sites.

Sorry I had my settings crossed. We didn't actually study `XOriginPolicy` effects on breakage. But the assumption is the same - referers to eTLD will presumably break fewer sites.

ghost commented

2017-10-01 16:09:22 +00:00

(Migrated from github.com)

Not sure 1 really helps. Maybe recommend 2 and explain that if it breaks sites a lot, the user should try changing it to 1?

Not sure `1` really helps. Maybe recommend `2` and explain that if it breaks sites a lot, the user should try changing it to `1`?

groovecoder commented

2017-10-01 16:46:08 +00:00

(Migrated from github.com)

Depends on the adversary and the risk. eTLD's would able to combine/track across the sub-domains if they wanted to. But I see the other privacy settings tweaks maximize privacy, so 2 makes sense here.

Updated commit to suggest 2 and also to suggest a global Referer trimming policy.

Depends on the adversary and the risk. eTLD's would able to combine/track across the sub-domains if they wanted to. But I see the other privacy settings tweaks maximize privacy, so `2` makes sense here. Updated commit to suggest `2` and also to suggest a global `Referer` trimming policy.

kewde (Migrated from github.com) approved these changes 2017-10-03 16:03:15 +00:00

This repo is archived. You cannot comment on pull requests.

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#340