Document.referrer

The only test on privacytests.org that every (desktop) browser fails to pass is document.referer (under the navigation section).

Does anyone know the reason for this, or have any context or educated guesses?
My assumption is that there must be some substantial usability tradeoff or other barrier, but that is just a guess.

I do see that for Android, @SkewedZeppelin’s mull browser, and Cromite do pass this test.


Document.referrer

Navigation tests
Which browsers prevent websites from sharing tracking data when you click on a link?
document.referrer

The Referrer [sic] request header is a mechanism used by browsers to let a website know where the user is visiting from. This header is inherently tracking users across websites. In recent times, browsers have switched to a policy of trimming a referrer to convey less tracking information, but Referrer continues to convey cross-site tracking data by default.

It’s likely the network.http.referer.XOriginPolicy in Firefox, and it can cause breakages like stated in Broken - DivestOS Mobile

Mull has stripped referrers. This often breaks loading of images on websites with hotlink protection. Navigate to about:config and change network.http.referer.XOriginPolicy from 2 to 1, this is however a privacy risk.

I think the problem is there’s no good ways to do “blacklist - whitelist” based on websites / domains. You turn off all or you turn on all.

3 Likes

You’re right. I set this to 2, and re-ran the test. it passes.

In addition to Mull’s warning about breakages [1] I see that Arkenfox has a slightly different warning as well [2]. Taken together that seems to explain why this setting isn’t enabled by default (and answers my question).


  1. “often breaks loading of images on websites with hotlink protection” ↩︎

  2. “Will cause breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram” ↩︎

1 Like