From:  Asa Dotzler <asa@mozilla.com>
Date:  02 Mar 2013 04:39:21 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.privacy
Subject:  

Re: Shortened HTTP Referer header project

NNTP-Posting-Host:  63.245.220.240

On 2/26/2013 7:22 PM, Brian Smith wrote:
> Brian Smith wrote:
>> Also note that Google's and Facebook's use of
>> the redirect shows that prohibiting the sending of the Referer
>> header for HTTPS -> HTTP cases for values "origin" and "always" is
>> not really a way to enforce privacy-preserving behavior.
>
> Also, note that Google and Facebook must redirect to a *non-HTTPS* location for this hack to work. So, implementing my proposal should make it easier for them to switch on HSTS (Strict Transport Security) on more of their domains, and it should eliminate unnecessary HTTPS -> HTTP -> HTTPS transitions (e.g. https://facebook.com/ -> http://facebook.com?redirectTo=https://example.org -> https://example.org) in many cases. (Currently on facebook.com and google.com, a passive MitM cannot learn the target URL and an active MitM can alter the target of your link click.)
>
> So, I think this proposal is +1 security, +1 performance, and +1 privacy, though with unknown compatibility risk.
>
> Cheers,
> Brian
>

This is definitely an interesting feature and one that I'd like to see 
us tackle with Firefox.

I agree that this is +1 security, performance, and privacy and I think 
we s could mitigate and manage compatibility better if our initial 
approach was simply to implement the feature for websites (and perhaps 
Firefox users through a preference setting) without actually changing 
the default way Firefox handles referrers.

Over time, and as we learn more about the impact of the changes, we can 
consider changing Firefox's default behavior.

- A