Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

wiki: revisist smart referer recommendation

See original GitHub issue

the wiki mentions smart referer as a potential alternative to 1601 in case of breakage, and it also includes a couple tweaks (whitelist and strict mode).

however one of the default settings of SR is rewrite mode, quoting the readme of the project:

Rewrite Mode: Can be used to change what is sent to the server instead of the original referer header. The default (Send the URL you’re going to as referer) is known to cause the least issues on most sites and is therefore recommended.

this means that out of the box SR is spoofing referers which is not a good idea for security, and in fact it’s enforced false using 6002.

the wiki should recommend changing rewrite mode to “Send nothing”.

Issue Analytics

State:
Created a year ago
Comments:18 (6 by maintainers)

Top GitHub Comments

5reactions

Thorin-Oakenpantscommented, Jul 26, 2022

Here’s hoping uBO adds this - https://github.com/uBlockOrigin/uBlock-issues/issues/1663#issuecomment-1192832027 - then users can block by default but allow per eTLD+1. No Spoofing or affecting of CSRF. This is honestly the only way to do it IMO - simple on/off - I personally don’t think we need any of the complexity of origin vs destination

And it would be one less extension for those who use Smart Referrer. Most users wouldn’t want to disable all cross-site referers as per our default, it breaks too many platforms and properties. It’s fine for me, but I’m also happy to use uBO to break most 3rd party anyway.

The referrer pref 1601 is probably the biggest pref users have an issue with. If uBO added a block/enable per-site scope for this, then we could make that pref inactive, and just add a referer note to the uBO setup instructions

1reaction

Thorin-Oakenpantscommented, Jun 28, 2022

but that doesn’t mean we can’t limit the damage, but we also don’t need to complicate things

Smart Referer … and it’s probably too complicated with origin-source combos

referers aren’t really the issue, it’s the IP … but that doesn’t mean we can’t limit the damage, but we also don’t need to complicate things

All I want is

send nothing by default
whitelist sites (eTLD+1 + scheme) to unbreak shit for user’s super regular sites
anything else is up to the user and I don’t have to explain it or add reams of stuff tot he wiki

What I don’t want

micro management

Top Results From Across the Web

HTTP referer - Wikipedia

In HTTP, "Referer" (a misspelling of Referrer) is an optional HTTP header field that identifies the address of the web page from which...

Wikipedia talk:Portal/Guidelines/Archive 8 - Wikipedia

Wikipedia talk:Portal/Guidelines/Archive 8. Project page Talk ... Concerning section: Recommended. 1. The second item from "Recommended" describes practice ...

Tesla Autopilot - Wikipedia

Tesla Autopilot is a suite of advanced driver-assistance system (ADAS) features offered by Tesla that amounts to SAE International Level 2 vehicle ...

Wikipedia talk:Reference desk/Archive 117

Wikipedia talk:Reference desk/Archive 117. Project page Talk. Language; Watch · Edit · Add topic. Active discussions. < Wikipedia talk:Reference desk ...

European Green Deal - Wikipedia

The plan is to review each existing law on its climate merits, and also introduce new legislation on the circular economy, building renovation,...