Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Where you were before

> news.ycombinator.com

This has always bothered me the most. I disabled the 'Referer' header once, but it breaks many websites.



The Referer header is the one that's hardest to opt out of cleanly, strip it at the network level and too many things break. Referrer-Policy lets the origin set the rule, but the visitor doesn't get to choose. There's a quiet move toward Referrer-Policy: strict-origin-when-cross-origin as a sane default in modern browsers but it's still origin-dictated, not visitor-dictated.


I strip/forge it with a old, probably outdated firefox extension (Referer Control.) But you still got news.ycombinator.com. How? I thought the extension was broken, but it's not.

That was actually my only surprise, everything else I was expecting.

edit: ignore this, looks like I just needed to save my preferences again. Thanks for showing me that I have been leaking my referer for some mysterious amount of time.


It's interesting that this breaks things. When trying to link to an internal password vault at work it would always break. People would have to click the link on my site, then reload it to get the page to load. This wan an issue for years, across multiple versions and despite many people offering up ideas to help solve it. One day I thought maybe it was a referrer issue, so I had it open with noopener,noreferrer, and that fix it.

It seems odd that any site would require a user come from somewhere.


I just found a new(?) setting in Firefox, to spoof the Referer header, instead of omitting it. Will try that for a while and see how it works.

  about:config -> network.http.referer.spoofSource


Hah I remember the picture of the scrotum.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: