Referer spoofing security concerns, maybe
Posted: 2014-08-02, 04:56
OK, this is not anything critical; my PM is working fine. 
So, if you're busy just skip this for now. I can't seem to figure this out. I just want to describe it now. Then I'll test more when my brain is awake.
FIRST, THE BACKGROUND
To take advantage of the new granular referer control in 24.7, I set the 3 granular referrer settings in PM as I wanted.
network.http.referer.XOriginPolicy: 0 (always send, regardless of domains)
network.http.referer.spoofSource: true (use target as referer, i.e. spoof)
network.http.referer.trimmingPolicy: 2 (trim to host (subdomain) not full path: scheme+host+port)
and the old setting still:
network.http.sendRefererHeader: 2 (default, always send referrer)
I thought with this I would probably not need an addon for referer control so I disabled the Referer Control addon. But left it installed just in case there was a need for site specific settings.
I also (unrelated to above) decided to disable the UA compatibility mode which adds Firefox to the UA string. I wanted to know which sites I regularly visit would have a problem with Pale Moon. The Mozilla Addons site (addons.mozilla.org, aka AMO) not surprisingly would not cooperate. Everything was greyed out, and the download links were not functional. So I added a site specific override for the Mozilla Addons site that included "Firefox/28.0" and this seemed to be working good.
Well, a while later I noticed in the header log a link to google.com/recaptcha! But it had not ever shown on screen. Even though the referer showed as google, I knew from the pages I was browsing the request was coming from the AMO site. I checked Request Policy, and it did not show google.com there either (just the usual blocking of google-analytics I think). So, I wondered how this could get by my all security. I even have an attempted block of *google* (anything with google in the URL) setup in BlockSite. (I am not sure that this has ever worked though - could be incorect syntax.)
NOW THE PROBLEM
I am wondering if the spoofing of the referrer could defeat some security efforts like the cross-site link blocking in Request Policy. I don't know if RP or other similar addons depend on referer or whether they use something else to determine source. I'd like to ask the developer of RP, but he has more or less abandoned support and development of his addon. And I don't think this is a typical issue for NoScript to block (unless it would be through some of the advanced settings) so I am not inclined so far to ask on the NoScript forum. I know it should not affect BlockSite if I had it working but I have not tested that enough to trust it yet (it doesn't show me what it blocks).
So I need to test this more. But any help from anyone who understands the details would be welcome.
P.S. we need bigger smileys; I can't see these little things
So, if you're busy just skip this for now. I can't seem to figure this out. I just want to describe it now. Then I'll test more when my brain is awake.
FIRST, THE BACKGROUND
To take advantage of the new granular referer control in 24.7, I set the 3 granular referrer settings in PM as I wanted.
network.http.referer.XOriginPolicy: 0 (always send, regardless of domains)
network.http.referer.spoofSource: true (use target as referer, i.e. spoof)
network.http.referer.trimmingPolicy: 2 (trim to host (subdomain) not full path: scheme+host+port)
and the old setting still:
network.http.sendRefererHeader: 2 (default, always send referrer)
I thought with this I would probably not need an addon for referer control so I disabled the Referer Control addon. But left it installed just in case there was a need for site specific settings.
I also (unrelated to above) decided to disable the UA compatibility mode which adds Firefox to the UA string. I wanted to know which sites I regularly visit would have a problem with Pale Moon. The Mozilla Addons site (addons.mozilla.org, aka AMO) not surprisingly would not cooperate. Everything was greyed out, and the download links were not functional. So I added a site specific override for the Mozilla Addons site that included "Firefox/28.0" and this seemed to be working good.
Well, a while later I noticed in the header log a link to google.com/recaptcha! But it had not ever shown on screen. Even though the referer showed as google, I knew from the pages I was browsing the request was coming from the AMO site. I checked Request Policy, and it did not show google.com there either (just the usual blocking of google-analytics I think). So, I wondered how this could get by my all security. I even have an attempted block of *google* (anything with google in the URL) setup in BlockSite. (I am not sure that this has ever worked though - could be incorect syntax.)
NOW THE PROBLEM
I am wondering if the spoofing of the referrer could defeat some security efforts like the cross-site link blocking in Request Policy. I don't know if RP or other similar addons depend on referer or whether they use something else to determine source. I'd like to ask the developer of RP, but he has more or less abandoned support and development of his addon. And I don't think this is a typical issue for NoScript to block (unless it would be through some of the advanced settings) so I am not inclined so far to ask on the NoScript forum. I know it should not affect BlockSite if I had it working but I have not tested that enough to trust it yet (it doesn't show me what it blocks).
So I need to test this more. But any help from anyone who understands the details would be welcome.
P.S. we need bigger smileys; I can't see these little things