Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Fallback behavior for referrer truncation results in an invalid value

See original GitHub issue

The fallback behavior for referrer truncation in the fingerprint-protection.js content script looks as follows:

https://github.com/duckduckgo/duckduckgo-privacy-extension/blob/e15a3fba9fc46bca8f38114c574207e68b0446d6/shared/data/fingerprint-protection.js#L111-L114

This sets the referrer to hostname only which isn’t a valid URL. I guess that the idea here was to use new URL(document.referrer).origin instead which makes more sense.

Issue Analytics

State:
Created 3 years ago
Comments:7 (2 by maintainers)

Top GitHub Comments

1reaction

Charlie-belmercommented, Feb 2, 2021

Thanks for mentioning this @kberridge. It’s a slightly different issue, but I’ll take a look!

0reactions

weaversam8commented, Mar 17, 2021

What would be the expected flow to override this in this example? If an embedded domain is whitelisted to only be embedded on a subdomain, it won’t load in this case. For context, Cloudflare Stream is the service that broke in this example, with their allowed origin domains security feature blocking access since the subdomain was permitted but only the root domain was passed in the referrer.

Can’t this protection be routed around by malicious actors by constructing an iframe using Javascript that embeds the true origin as a query string parameter?

Top Results From Across the Web

A new default Referrer-Policy for Chrome - strict-origin-when ...

Browsers are evolving towards privacy-enhancing default referrer policies, to provide a good fallback when a website has no policy set. Chrome ...

Safari Technology Preview Release Notes - Apple Developer

Fixed document.referrer value missing a trailing slash (r280342); Fixed FetchResponse.formData() to not reject the promise if the body is null and the MIME ......

8. Configuration Reference — BIND 9 9.18.8 documentation

Statements define and control specific BIND behaviors. ... If block-size is greater than 512, a warning is logged and the value is truncated...

Content Security Policy (CSP) - HTTP - MDN Web Docs

Chrome Edge Content‑Security‑Policy Full support. Chrome25. more. Toggle history Full sup... base‑uri Full support. Chrome40. Toggle history Full sup... block‑all‑mixed‑content. Deprecated Full support. ChromeYes. Toggle history...

Data column reference | Adobe Analytics - Experience League

Column name Column description Data type adload Media ad loads varchar(255) browser_height Height in pixels of the browser window. smallint unsigned browser_width Width in pixels of...