Opened 2 years ago

Closed 2 years ago

#1862 closed defect (fixed)

Disable HTTP referer stripping by default

Reported by: unknown11 Owned by:
Priority: minor Milestone: 0.9.29
Component: apps/i2ptunnel Version: 0.9.27
Keywords: http, proxy Cc:
Parent Tickets:

Description

By default HTTP proxy tunnel strips some headers like HTTP_REFERER and HTTP_USERAGENT.

I guess this "feature" was introduced a long time ago, when it was reasonable, but in 2016 it makes no protection of user, but creates a lot of problems for eepsite owners.

It does not protect user from fingerprinting, since webapp still can find out the referer and UserAgent? with JavaScript?. User don't need such "protection". To be really secure, user have to configure his web-browser anyway.

It breaks many webapps, since they use HTTP_REFERER as a variable to redirect their users. Website owners need to either patch their software, or choose the software which don't break.

(I know HTTP_REFERER is unreliable data, but tell that to FluxBB developers.)

The point is: it is obsolete, it does not accomplish anything, but break many apps. It should be off by default.

Subtickets

Change History (1)

comment:1 Changed 2 years ago by zzz

  • Milestone changed from undecided to 0.9.29
  • Resolution set to fixed
  • Status changed from new to closed

Client proxy changed to pass through relative referer URIs, and convert same-origin absolute URIs to relative. Absolute non-same-origin URIs are still stripped. This should work for any server software checking referers, but I didn't install FluxBB to test. In 9cf04201b4d100b0b635270a29892728f4933934 to be 0.9.28-6

Note: See TracTickets for help on using tickets.