Fallback behavior for referrer truncation results in an invalid value
See original GitHub issueThe fallback behavior for referrer truncation in the fingerprint-protection.js
content script looks as follows:
This sets the referrer to hostname only which isn’t a valid URL. I guess that the idea here was to use new URL(document.referrer).origin
instead which makes more sense.
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (2 by maintainers)
Top Results From Across the Web
A new default Referrer-Policy for Chrome - strict-origin-when ...
Browsers are evolving towards privacy-enhancing default referrer policies, to provide a good fallback when a website has no policy set. Chrome ...
Read more >Safari Technology Preview Release Notes - Apple Developer
Fixed document.referrer value missing a trailing slash (r280342); Fixed FetchResponse.formData() to not reject the promise if the body is null and the MIME ......
Read more >8. Configuration Reference — BIND 9 9.18.8 documentation
Statements define and control specific BIND behaviors. ... If block-size is greater than 512, a warning is logged and the value is truncated...
Read more >Content Security Policy (CSP) - HTTP - MDN Web Docs
Chrome Edge
Content‑Security‑Policy Full support. Chrome25. more. Toggle history Full sup...
base‑uri Full support. Chrome40. Toggle history Full sup...
block‑all‑mixed‑content. Deprecated Full support. ChromeYes. Toggle history...
Read more >Data column reference | Adobe Analytics - Experience League
Column name Column description Data type
adload Media ad loads varchar(255)
browser_height Height in pixels of the browser window. smallint unsigned
browser_width Width in pixels of...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Thanks for mentioning this @kberridge. It’s a slightly different issue, but I’ll take a look!
What would be the expected flow to override this in this example? If an embedded domain is whitelisted to only be embedded on a subdomain, it won’t load in this case. For context, Cloudflare Stream is the service that broke in this example, with their allowed origin domains security feature blocking access since the subdomain was permitted but only the root domain was passed in the referrer.
Can’t this protection be routed around by malicious actors by constructing an iframe using Javascript that embeds the true origin as a query string parameter?