Control HTTP referer to protect privacy and not break web.
- Firefox Addon
- Chrome Addon (Manifest v2 needed)
Notice: Due to browser bug on javascript document.referrer
on Firefox 69+ (1601496, 1601743) (also on Chrome), using a regular referer controlling addon you can get 70% of expected protection until they fix that bug.
So, we've implemented a workaround to improve protection to 85%. Please enable workaround in addon settings .
-
For webs' top frame (i.e. clicking link, navigating, redirecting etc.):
-
If origin and target url have same domain, allow trimmed referer
-
If origin and target url have different domain, no referer
-
-
For in-page resources (images, videos, js, css etc.), allow trimmed referer (this is the key to not break most webs, also a balance between privacy and experience)
-
Trim referer: Any referer should be no more than
http(s)://domain-name:port/
(like Firefox's nativeabout:config
settingnetwork.http.referer.trimmingPolicy = 2
). -
Not allow referer that not starts with "http" or "https". (Please feedback if you find something broken due to this)
-
No referer when downgrade from HTTPS/WSS to HTTP/WS
We believe that can protect privacy enough and won't break web.
This addon doesn't use content script. Content script hiding document.referrer
is not 100% reliable.
Instead, we use this workaround to kill document.referrer
:
Cancel all cross-domain navigating requests and make freshnew ones, like directly hit (currently only implemented for GET method and main frame, other methods and sub-frames remain as is)
If user find a web broken, user can temporary set this addon disabled via toolbar button for:
- this one tab
- this one tab and new tabs opened by this tab
- this one window (Firefox only)
- globally
(above can be set as keyboard shortcuts)
there's showy toolbar button badge indicating fallback disabling status.
Currently it has hard-coded allowlist.
This open souce addon comes with no warranty. Use on you own risk!