Page 1 of 1

Does ttrss send referral when clicked on a link within?

Posted: 07 Jul 2014, 07:43
by kurahan
Hi

Forgive me if this is a dumb question. This is a rather privacy related issue. Does ttrss send any link/click referral when I click on a link in ttrss?

thanks

Re: Does ttrss send referral when clicked on a link within?

Posted: 07 Jul 2014, 08:49
by fox
that's not how http referrer works.

Re: Does ttrss send referral when clicked on a link within?

Posted: 07 Jul 2014, 12:12
by jakob42
Your browser sends the referer (http://en.wikipedia.org/wiki/HTTP_referer), all you could do is use an anonymizer service. I guess that could be done by a plugin if you wanted to write one.

Re: Does ttrss send referral when clicked on a link within?

Posted: 07 Jul 2014, 13:27
by zeiram
Or "simply" access your tt-rss installation via https only. (Browsers don't send referrers when the hosted page is on https and the destination is http.)

Re: Does ttrss send referral when clicked on a link within?

Posted: 07 Jul 2014, 18:28
by kurahan
Hi

Thanks for all the replies. This is very helpful. I am already using https for my ttrss server. That seems like it takes care of the issue.

Re: Does ttrss send referral when clicked on a link within?

Posted: 08 Jul 2014, 03:06
by undefined
kurahan wrote:Hi

Thanks for all the replies. This is very helpful. I am already using https for my ttrss server. That seems like it takes care of the issue.


not quite.

for firefox whether the "Referer" header is sent when an HTTPS website refers the browser to another HTTPS website is dependent upon the network.http.sendSecureXSiteReferrer setting.

RFC 2616 only says that the Referer header should not be sent HTTPS->HTTP, but doesn't address HTTPS->HTTPS, so firefox sends the Referer header when navigating HTTPS->HTTPS and network.http.sendSecureXSiteReferrer is set true (the default). last time i checked (ie years ago) chrome sent the Referer header for HTTPS->HTTPS. not a big deal years ago even for the conspiracy theorists, but now a lot of websites are going HTTPS (google, facebook, twitter) and are known to be tracking users.

so if you are really paranoid then make sure your tt-rss installation is HTTPS and you use firefox with network.http.sendSecureXSiteReferrer set false. the only websites i've had break are extranet/internet portals linked to by corporate intranets which are authorizing users using the Referer.

Re: Does ttrss send referral when clicked on a link within?

Posted: 08 Jul 2014, 03:59
by mrc0mmand
undefined wrote:
kurahan wrote:Hi

Thanks for all the replies. This is very helpful. I am already using https for my ttrss server. That seems like it takes care of the issue.


not quite.

for firefox whether the "Referer" header is sent when an HTTPS website refers the browser to another HTTPS website is dependent upon the network.http.sendSecureXSiteReferrer setting.

RFC 2616 only says that the Referer header should not be sent HTTPS->HTTP, but doesn't address HTTPS->HTTPS, so firefox sends the Referer header when navigating HTTPS->HTTPS and network.http.sendSecureXSiteReferrer is set true (the default). last time i checked (ie years ago) chrome sent the Referer header for HTTPS->HTTPS. not a big deal years ago even for the conspiracy theorists, but now a lot of websites are going HTTPS (google, facebook, twitter) and are known to be tracking users.

so if you are really paranoid then make sure your tt-rss installation is HTTPS and you use firefox with network.http.sendSecureXSiteReferrer set false. the only websites i've had break are extranet/internet portals linked to by corporate intranets which are authorizing users using the Referer.


I'd just like to add that if you use Google Chrome and you want to disable referrer headers, you can launch Chrome with --no-referrers parameter. Or for quick access (on Windows) just modify your Chrome shortcut to something like this: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-referrers

Re: Does ttrss send referral when clicked on a link within?

Posted: 08 Jul 2014, 10:51
by dxbi
There actually is a way to tell your browser never to send Referrer-Headers to links originating from a page:

Code: Select all

<meta name="referrer" content="never">

(see http://wiki.whatwg.org/wiki/Meta_referrer)

This has been implemented at least in Chrome/Chromium for a while.
Somebody please write a pull request because honestly I just don't care enough at the moment :)

Re: Does ttrss send referral when clicked on a link within?

Posted: 08 Jul 2014, 11:09
by fox
yes adding a browser-specific hack implemented in chrome only because of privacy freaks? sounds like an excellent idea

don't bother