Firefox private browsing trims request referrer headers.
A site I develop for checks authenticity by checking a passed value confirming it it valid for a given referring url. The request has a referrer header which in regular windowed firefox is the full url of the requesting site. In private browsing mode the referrer header is only the host part of the url and does not contain the full path. It is the path that is commonly required to verify the site. Is this expected behaviour or a bug?
This has been confirmed both on macOS and Windows 10 using Firefox Quantum 61.0.
A site I develop for checks authenticity by checking a passed value confirming it it valid for a given referring url. The request has a referrer header which in regular windowed firefox is the full url of the requesting site. In private browsing mode the referrer header is only the host part of the url and does not contain the full path. It is the path that is commonly required to verify the site. Is this expected behaviour or a bug?
This has been confirmed both on macOS and Windows 10 using Firefox Quantum 61.0.
All Replies (1)
hi, yes that appears to be the intended behaviour accoring to https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/