Mozilla changed The method of forming the header of http referer in the release of Firefox 87 scheduled for tomorrow. In order to block potential leaks of confidential data by default, when you go to other Sites, the Referer HTTP header will include a not complete source URL from which the transition is carried out, but only a domain. The path and parameters of the query will be cut. Those. Instead of “Referer: https://www.example.com/Ad/? Airguments” will be transmitted “referer: https://www.example.com/”. Starting with Firefox 59, such cleaning was performed in a private viewing mode, and now it will be distributed to the main mode.
New behavior will help prevent the transfer of unnecessary user data to advertising networks and other external resources. As an example, some medical sites are given, in the process of displaying advertising on which third parties may receive confidential information, such as age and the patient diagnosed. At the same time, the removal of parts from Referer can negatively affect the collection of statistics on the transitions of website owners, which will now not be able to accurately determine the address of the previous page, for example, for understanding with which item was transitioned. The operation of some system of dynamic generation of contents that make the key parsing, which led to the transition from the search engine.
To control Referer, the REFERER-POLICY HTTP header is provided, with which the site owners can override the default behavior for transitions from their site and return the indication in the referer full information. Currently, by default, the “NO-REFERRER-WHEN-DOWNGRADE” policy is applied, at which Referer is not sent when switching from HTTPs to HTTP, but is transmitted in full form when downloading HTTPS resources. Starting with Firefox 87, the “STRICT-ORIGIN-WHEN-CROSS-ORIGIN” policy will begin to operate, which implies cutting paths and parameters when sending a request to other hosts when accessing HTTPS, delete referer when switching from HTTPs to HTTP and transfer full Referer for internal transitions within one site.
Change will be valid for normal navigation queries (links based on links), automatic redirects and when downloading external resources (images, CSS, scripts). In the Chrome, the default transition to the “STRICT-ORIGIN-WHEN-CROSS-ORIGIN” was Implemented last year.