New Firefox update prevents accidental leak of sensitive data

Privacy
(Image credit: Shutterstock / Valery Brozhinsky)

The newest version of the popular open source Firefox web browser ships with a stricter Referrer Policy that’ll help protect sensitive user information against accidental leaks.

Firefox 87, which will drop later today, will trim details that reveal identifying information about the user, from the HTTP referrer header.

"Unfortunately, the HTTP Referrer header often contains private user data: it can reveal which articles a user is reading on the referring website, or even include information on a user's account on a website," write Mozilla's Dimi Lee and Christoph Kerschbaumer in a blog post announcing the switch to the new policy.

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

Evolving web

The developers explain that HTTP referrer headers contain details about the location that’s led visitors to the current website. While these are usually used for innocuous reasons such as analytics, the referrer headers often also include sensitive user information as well.

With the introduction of the Referral Policy HTTP header, websites could control what details about the visitors were passed on to the next one. But if a website didn’t have a referrer policy, browsers default to the ‘no-referrer-when-downgrade’ setting, which does trim details about the referrer when navigating to a less secure resource, but still transmits the full URL including path and query information of the source.

“The ‘no-referrer-when-downgrade’ policy is a relic of the past web,” argue the developers as they reveal that Firefox 87 will instead adopt a strict-origin-when-cross-origin’ setting that will completely remove any user sensitive information from the referral URL. 

The developers add that the new policy will be applicable to all navigational requests, redirected requests, and requests for sub-resource, such as image, style, and script, which they assert will lead to “a significantly more private browsing experience.”

Via: BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.