Most of the web now protected against one class of information disclosure vulnerability

The majority of the web is now protected against information disclosure exploits that leverage the HTTP referrer header after Mozilla announced a privacy-focused Firefox update.

Launched yesterday (March 23), Firefox 87 marks the debut of a stricter, more privacy-preserving default Referrer Policy, according to Mozilla.

“From now on, by default, Firefox will trim path and query string information from referrer headers to prevent sites from accidentally leaking sensitive user data,” the company said in a blog post.

Points of reference

Historically browsers sent the HTTP referrer header to let a website know which location ‘referred’ a user to that website.

A Referrer Policy adopted by browser-makers around five years ago gave improved privacy in transitions from HTTPS websites but this has been superseded by even tighter controls.


RELATED Browser security briefing: Google and Mozilla lay the groundwork for a ‘post-XSS world’


The new “stricter referrer policy will not only trim information for requests going from HTTPS to HTTP, but will also trim path and query information for all cross-origin requests,” Mozilla explained.

Google introduced a similar new default Referrer Policy for Chrome last December.

The new default behaviour is to show the referrer partially, but it can be customized by the application to keep backwards compatibility, as Google’s documentation for developers explains.

On Safari

Apple’s Safari browser did something comparable with a technology called Intelligent Tracking Prevention (ITP), also released last December.

ITP “downgrades all cross-site request referrer headers to just the page’s origin” instead of redacting cross-site requests to classified domains, according to Apple.


Read more of the latest browser security news


These improved security controls by Apple extend to browsers on mobile devices running on iOS, such as iPhones and iPads.

The changes by browser makers collectively address a class of information disclosure via HTTP referrer header vulnerability.


RECOMMENDED DuckDuckGo’s Daniel Davis discusses the privacy-focused search engine’s future in the market