Git/firefox-user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-11-03 23:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

harden cross-domain referers, closes #1077

Browse Source
This commit is contained in:
Thorin-Oakenpants
2020-12-27 05:01:33 +00:00
committed by GitHub
parent 0152b38b8b
commit 8c9d0bbe72
1 changed files with 5 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
user.js
View File

@@ -815,10 +815,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
/*** [SECTION 1600]: HEADERS / REFERERS /*** [SECTION 1600]: HEADERS / REFERERS
Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone
--- ---
harden it a bit: set XOriginPolicy (1603) to 1 (as per the settings below) Expect some breakage: Use an extension if you need precise control
harden it a bit more: set XOriginPolicy (1603) to 2 (and optionally 1604 to 1 or 2), expect breakage
---
If you want any REAL control over referers and breakage, then use an extension
--- ---
full URI: https://example.com:8888/foo/bar.html?id=1234 full URI: https://example.com:8888/foo/bar.html?id=1234
scheme+host+port+path: https://example.com:8888/foo/bar.html scheme+host+port+path: https://example.com:8888/foo/bar.html
@@ -829,17 +826,17 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!"); user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
/* 1601: ALL: control when images/links send a referer /* 1601: ALL: control when images/links send a referer
* 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/ * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
// user_pref("network.http.sendRefererHeader", 2); // [DEFAULT: 2] // user_pref("network.http.sendRefererHeader", 2);
/* 1602: ALL: control the amount of information to send /* 1602: ALL: control the amount of information to send
* 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
// user_pref("network.http.referer.trimmingPolicy", 0); // [DEFAULT: 0] // user_pref("network.http.referer.trimmingPolicy", 0);
/* 1603: CROSS ORIGIN: control when to send a referer /* 1603: CROSS ORIGIN: control when to send a referer
* 0=always (default), 1=only if base domains match, 2=only if hosts match * 0=always (default), 1=only if base domains match, 2=only if hosts match
* [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud ***/ * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud ***/
user_pref("network.http.referer.XOriginPolicy", 1); user_pref("network.http.referer.XOriginPolicy", 2);
/* 1604: CROSS ORIGIN: control the amount of information to send [FF52+] /* 1604: CROSS ORIGIN: control the amount of information to send [FF52+]
* 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/ * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // [DEFAULT: 0] user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
/* 1605: ALL: disable spoofing a referer /* 1605: ALL: disable spoofing a referer
* [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF * [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF
* (Cross-Site Request Forgery) protections that some sites may rely on ***/ * (Cross-Site Request Forgery) protections that some sites may rely on ***/