February 2018

Mozilla Firefox logo

I’m mystified by some Firefox browser privacy policies, and I wonder if anyone can help me understand them better.

I hadn’t been following browser HTTP referrer policy closely. I knew that referrals were sent, and that had always vaguely puzzled me from a privacy perspective, but I assumed that Smart People Were Working On It, and that there were probably reasons why things are the way they are. After reading this post on the Mozilla Security Blog yesterday, I suddenly wished I’d been following things more closely. The post is meant to tell us about how Firefox is getting better about privacy. But after reading it, I feel worse about privacy than I did before reading it. Here’s a summary of what the post says:

When you follow a link on web page X to go to web page Y, your browser sends Y’s server an indication that you were referred to Y by X. (This information is sent in the “HTTP Referer” [sic] header, for those keeping score at home; yes, it is probably the most famous misspelling in all of Web standards.) The referral information typically includes the entire URL of the page you’re coming from, that is, the site address and path of X. For example, for this post the site address is “www.rants.org” and the path is “/2018/02/a-mystery-firefox-and-user-privacy/“.

Okay, pausing for a moment to ask the obvious first question:

Can I turn this off in my browser settings? Because maybe I consider that information private and don’t want to tell one web site what other web site I’m coming from.

Answer: not unless you have a Ph.D. in Firefox Studies. At least, in the “Preferences → Privacy Settings” menu of Firefox 52.5, there is no identifiable option for controlling this. You can do it via about:config, by setting Network.http.sendRefererHeader to 0 instead of the default 2, but that way of setting preferences won’t fly for the majority of users. There really should be a way to do it from Firefox’s normal preferences dashboard.

Continuing with the post:

As of Firefox 59, when you’re browsing in Private Mode, Firefox will not send the path portion of the referrer information.

Well, uh, okay, that’s an improvement, I guess. But then why even send the origin site at all, even without the path? Shouldn’t “Private” mean private? In Private Browsing Mode, I would expect no referral information to be sent at all. Then, to make matters worse, a bit later the post says:

In Firefox Regular and Private Browsing Mode, if a site specifically sets a more restrictive or more liberal Referrer Policy than the browser default, the browser will honor the websites [sic] request since the site author is intentionally changing the value.

Now I’m even more confused. Why would the site author get to decide what the value should be? At all, I mean, but especially in Private Browsing Mode! I thought the whole point of Private Browsing Mode was that the browser user would decide that. Browser users are often in an adversarial relationship with site authors. The browser should take the user’s side in that relationship, every time.

I must be missing something here. Education welcome. (The answer might be somewhere under this post, but I haven’t found it yet.)