Spoof or block HTTP referral header

[omentic]

Prerequisites

• I verified that this is not a filter issue (MUST be reported at filter issue tracker)
• This is not a support issue or a question
• I performed a cursory search of the issue tracker to avoid opening a duplicate issue
• The issue is not present after wholly disabling uBlock Origin ("uBO") in the browser
• I checked the documentation to understand that the issue I report is not a normal behavior

I tried to reproduce the issue when...

• uBO is the only extension
• uBO with default lists/settings
• using a new, unmodified browser profile

Description

(The issue is present after disabling uBlock Origin in the browser.)

The HTTP referral header leaks potentially identifying and frequently unwanted information about the user.

A specific URL where the issue occurs

https://www.google.com/search?q=test+your+referrer+url+vividata

Steps to Reproduce

1. Open the specific url above.
2. Click on the first link in the search results: https://members.vividata.ca/test-your-referrer-url/
3. Observe that the previous site can be found from the HTTP referrer.

Expected behavior

uBlock Origin could add blocking the HTTP referral header as a privacy setting.

There is (to my knowledge) no upside to the referral header, from a user experience.

Actual behavior

The referral header is not blocked or spoofed, and sites can find out the previous page you visited. This has privacy implications, particularly around fingerprinting - but more generally, it's just excess information that is usually used in a bad way.

Here's an example of the referral header being used for malicious purposes (click on the article link, potentially NSFW): https://news.ycombinator.com/item?id=3132752

uBlock Origin version

1.36.2

Browser name and version

Ungoogled Chromium 91.0

Operating System and version

Arch Linux 5.12

[uBlock-user]

Duplicate of gorhill/uBlock#3604

[omentic]

@uBlock-user Would you mind leaving open this one instead? Discussion is locked on the old issue tracker.

[uBlock-user]

Discussion is locked on the old issue tracker.

You just commented here, so no need to keep it open.

[omentic]

Right, but it gets confusing if all discussion happens under a closed issue.

If not no worries.

[gorhill]

I was looking at this one recently and investigated what could be done, and came to the conclusion the safest approach would be to simply expose the setting referrersEnabled as a global privacy setting.

[baptx]

@gorhill Since uMatrix is not supported anymore, it would be nice to have the same per-site switch "Spoof Referer header" in uBlock.
Related: gorhill/uBlock#3604

[omentic]

Note that Firefox and now Ungoogled Chromium allow disabling the referer in their flags.

[baptx]

@J-James I heard that but it would be nice to have a per-site setting so we can quickly disable it for a site only if there is an issue. Blocking the Referer HTTP header can also be done with an addon like Header Editor (which supports request and response headers) but it is less convenient than the uMatrix switch.