Block Referer Headers in Firefox

Block Referer Headers in Firefox

When you follow a link from one page or site to another, the browser usually sends a Referer [sic] header to the server to tell sites where you came from:

GET /test.phtml HTTP/1.1
Host: cafe.elharo.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051130 Firefox/1.5
Referer: http://blog.xyz.com/blog/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

In general this is a good thing. However, unscrupulous sites can and do abuse this information to violate visitors’ privacy and track them across the Web. In combination with cookies, it’s especially dangerous. In Firefox, you can disable the sending of the Referer header completely, and in general I recommend you do so. Here are the steps:

  1. Type “about:config” in the location bar, and press return.
  2. In the filter box, type “referer” and press return. This should leave you with one preference, network.http.sendRefererHeader. This is probably set to 2.
  3. Right click on network.http.sendRefererHeaderand select “Modify”Firefox referer configuration
  4. In the dialog that appears type “0″ and press OK:Integer dialog for Firefox
  5. Close the window.

This completely disables the referer header. This is normally what you want, though it may occasionally break a few sites that check the referer header to prevent deep linking or framing of its content. (It breaks WordPress, for example.)

If you run into problems, try setting sendRefererHeader to 1 instead. Setting it to 1 sends a referer header when following a link to another page, but not when loading images on the page. This will block most cross-site cookie tracking, but still allow WordPress and most other sites that depend on referers to function. Setting sendRefererHeader to 2 (the default) sends it when following links and when loading images on the page.

There’s also a boolean network.http.sendSecureXSiteReferer preference. If true, referer headers are sent for https the same as they are for http (i.e. controlled by network.http.sendRefererHeader). If false, referer headers are not sent for https connections. The default is true, and that’s probably OK; but if you like you can set this to false by toggling the value:

network.http.sendSecureXSiteReferer

That’s it. You’re done. Taking these steps significantly reduces the ability of sites to track and profile you.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s