https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/ Mozilla Menu * Internet Health * Technology * Give Download Firefox Mozilla Security Blog * Search this site [ ] Search Categories: Firefox Privacy Firefox 87 trims HTTP Referrers by default to protect user privacy Dimi Lee and Christoph Kerschbaumer March 22, 2021 We are pleased to announce that Firefox 87 will introduce a stricter, more privacy-preserving default Referrer Policy. From now on, by default, Firefox will trim path and query string information from referrer headers to prevent sites from accidentally leaking sensitive user data. Referrer headers and Referrer Policy Browsers send the HTTP Referrer header (note: original specification name is 'HTTP Referer') to signal to a website which location "referred" the user to that website's server. More precisely, browsers have traditionally sent the full URL of the referring document (typically the URL in the address bar) in the HTTP Referrer header with virtually every navigation or subresource (image, style, script) request. Websites can use referrer information for many fairly innocent uses, including analytics, logging, or for optimizing caching. Unfortunately, the HTTP Referrer header often contains private user data: it can reveal which articles a user is reading on the referring website, or even include information on a user's account on a website. The introduction of the Referrer Policy in browsers in 2016-2018 allowed websites to gain more control over the referrer values on their site, and hence provided a mechanism to protect the privacy of their users. However, if a website does not set any kind of referrer policy, then web browsers have traditionally defaulted to using a policy of 'no-referrer-when-downgrade', which trims the referrer when navigating to a less secure destination (e.g., navigating from https: to http:) but otherwise sends the full URL including path, and query information of the originating document as the referrer. A new Policy for an evolving Web The 'no-referrer-when-downgrade' policy is a relic of the past web, when sensitive web browsing was thought to occur over HTTPS connections and as such should not leak information in HTTP requests. Today's web looks much different: the web is on a path to becoming HTTPS-only, and browsers are taking steps to curtail information leakage across websites. It is time we change our default Referrer Policy in line with these new goals. [referrer-scaled] Firefox 87 new default Referrer Policy 'strict-origin-when-cross-origin' trimming user sensitive information like path and query string to protect privacy. Starting with Firefox 87, we set the default Referrer Policy to 'strict-origin-when-cross-origin' which will trim user sensitive information accessible in the URL. As illustrated in the example above, this new stricter referrer policy will not only trim information for requests going from HTTPS to HTTP, but will also trim path and query information for all cross-origin requests. With that update Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience. If you are a Firefox user, you don't have to do anything to benefit from this change. As soon as your Firefox auto-updates to version 87, the new default policy will be in effect for every website you visit. If you aren't a Firefox user yet, you can download it here to start taking advantage of all the ways Firefox works to improve your privacy step by step with every new release." Browse fast. Browse free. Download Firefox Previous article Firefox 86 Introduces Total Cookie Protection February 23, 2021 More articles in "Firefox" * Firefox 83 introduces HTTPS-Only Mode November 17, 2020 * Expanding Client Certificates in Firefox 75 April 14, 2020 * Improved Security and Privacy Indicators in Firefox 70 October 15, 2019 * DNS-over-HTTPS Policy Requirements for Resolvers April 9, 2019 * Passwordless Web Authentication Support via Windows Hello March 19, 2019 Recent articles * Firefox 86 Introduces Total Cookie Protection February 23, 2021 * Firefox 85 Cracks Down on Supercookies January 26, 2021 * Encrypted Client Hello: the future of ESNI in Firefox January 7, 2021 * Design of the CRLite Infrastructure December 1, 2020 * Measuring Middlebox Interference with DNS Records November 17, 2020 Keep up with all things Firefox. Your e-mail address [ ] Country [- select - ] Language [English ] (*) HTML ( ) Text [ ] I'm okay with Mozilla handling my info as explained in this Privacy Policy. Sign up now We will only send you Mozilla-related information. Thanks! If you haven't previously confirmed a subscription to a Mozilla-related newsletter you may have to do so. Please check your inbox or your spam filter for an e-mail from us. Mozilla Mozilla * About * Contact Us * Donate * + Twitter (@mozilla) + Instagram (@mozillagram) Firefox * Download Firefox * Desktop * Mobile * Features * Beta, Nightly, Developer Edition * + Twitter (@firefox) + YouTube (firefoxchannel) * Website Privacy Notice * Cookies * Legal Visit Mozilla Corporation's not-for-profit parent, the Mozilla Foundation. Portions of this content are (c)1998-2021 by individual contributors. Content available under a Creative Commons license.