Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #3809
Closed
Open
Created Aug 25, 2011 by Mike Perry@mikeperry

Remove referer spoofing support

Referer spoofing breaks browser navigation due to an interaction with our content policy. We could alter the content policy, but that would make the toggle model even less safe, because of Firefox API limitations. Basically the fix would increase the probability that some requests might leak through from one torbutton state to another.

I am kind of torn. On the one hand, since we're don't really support the toggle model, it might be fine to make it (more) insecure. However, I don't really think the referrer blocking feature is very useful, and I am planning on removing it in the next major release.. So to break it for this reason seems kind of silly.

Hence, let's hide the referer spoofing option, demoting it to an about:config pref only, to prevent people from breaking their TBBs with it.

We will remove the pref entirely in a future release.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking