airtower-luna / referer-mod Goto Github PK

Using

{
  "any": {
    "action": "remove",
    "referer": ""
  },
  "same": {
    "action": "keep",
    "referer": ""
  },
  "domains": []
}

does not allow to log in at https://tv.apple.com. After entering the mail address, the field for entering the password will never show up.

If the extension is disabled, it works without any issue.

How to whitelist this use-case?

Out of curiosity, does the addon also modify the JavaScript document.referrer ?
The other Referrer addon supposedly does, in case you are wondering how it can be done.

On AMO is no Russian localization

Turns out the Mozilla sanitizer doesn't like the Element.innerHTML assignments for i18n-html, even though the injected HTML can only come from the locale data. So I'll have to restructure to use text-only assignments (i18n-text).

Hi, thanks for creating this.

I could not get it to function using Firefox Developer Edition 65.0b7 on Ubuntu.

My config:

{
  "any": {
    "action": "keep",
    "referer": ""
  },
  "same": {
    "action": "keep",
    "referer": ""
  },
  "domains": [
    {
      "domain": "support.redacted.net",
      "action": "replace",
      "referer": "https://staging.redacted.net/en/can-we-make-it/"
    }
  ]
}

I then created a link from my own website to a page at https://support.redacted.net/some-page and clicked it. The referrer sent in the headers is showing (according to Firefox dev tools' Network panel) as the original, from my own website.

Have I done something wrong, or is this a bug/compatibility issue?

With Manifest v3 host permissions (used to modify requests and inject scripts) have to be requested via host_permissions (see migration guide). Host permission are optional as a matter of principle, and as I found in tests not granted on install by default (or at least not the way Selenium does the installation).

Extensions can check if they have certain permissions and request them using the permissions API.

If it stays that way for the Manifest v3 release, the following seems like a reasonable approach:

• Install the extension with modifications disabled.
• If the user enables the extension, request host permissions.

The old RefControl add-on allowed for overriding/removing only 3rd-party referrers for a site.

Referer Modifier has a <SAME> rule that allows users to keep first-party referers, but it strictly adheres to full local hostnames, removing referers from requests between example.org and download1.example.org.

Other extensions, such as Smart Referer and Privacy Possum, consider subdomains as belonging to the same website by default, and even strongly recommend users to keep the settings that away to avoid breaking sites unexpectedly.

Since you've chosen to code <SAME> in its current form, please consider adding a new default rule for <SUBDOMAINS>, which maybe can stay grayed-out unless <SAME> is set to Keep.

I thought I would create a discussion here so people can share which referer modification settings they find beneficial.

Since a default referer of Target seems to work well in almost all cases, let's assume that default, and share exceptions.

Here's the proposed format:
Target | Action | Replacement | Site being Fixed | Functionality Fixed | Date Discovered (because the only thing constant is change)

The "date discovered" can be an approximate if you don't remember.

I'll lead with a few:

cdpn.io | Prune | N/A | All sites containing codepen.io examples | Allow the codepen examples to load | 2020/01/01
signin.ebay.com | Prune | N/A | ebay.com | Logging in | 2021/10/01
hcaptcha.com | Prune | N/A | Don't remember | Allow captcha to work | 2021/01/01

Originally posted by @Gitoffthelawn in #43

Hi,
Firts apologise for my stupid question, but I'm attempting to develop an mpd player based on local ltml5 players template.
some time I need to bypass the nasty 403 error code by passing a specific referer.
Your addon looks great and can help me to overcome my current lock.
Not always the required refer matches the target url. sometime it is different.
As in this case:
This link: https://lb17.canaletv.live/BalcanMusicTv/index.m3u8
requires this referrer: https://tvonline123.com/
And so many other urls.
I configured the addon as in the attached screenshot to make it works.
How can i config it to use the addon on target site basis?
I've adding a rule for this specific site but I get 403 code if the same referer is not set into the any domain box.
I expected that is a specific rule has been set this rule overrides all the previous rules.
I checked any option into the any domai box but it works only filling by the required referer.
As shown into the attached screenshot.

It would be much more convenient to match wildcards and regular expressions, and some subdomains don’t require a lot of input.
You can refer to this extended feature, https://addons.mozilla.org/en-US/firefox/addon/referer-modifier/

Hello,
I'm trying to change the referer in firefox and it has no effect.

Popup window settings in vanilla firefox no longer works with this addon, please fix it

Reproduce

1. Install referer modifier
2. Open demo.html
3. Click option > Allow popup window when firefox block the popup window
4. Close tab of demo.html
5. Open demo.html again

Expect

demo.html opens a new window (or tab) of amo automatically

Actual

Firefox block the popup window and the first entry of option is Prevent popup window instead of allowing it. Click it and nothing happened, amo popup still failed to open

Attachment

demo.zip

<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8" />
	<title>Popup Demo</title>
</head>
<body>
	<script>
		window.open("https://addons.mozilla.org/firefox/")
	</script>
</body>
</html>

How is that? No button. To add a new rule, I have to go to about:addons.

Manifest v3 does not allow dynamically generated content scripts (see the migration guide). Referer Modifier currently uses one to inject the current configuration into content scripts to work around Firefox bug #1601496. Alternatives (loading from storage, messaging the background script) are asynchronous and very likely don't resolve before site scripts get a chance to run and possibly access document.referrer.

What this means is:

• If the Firefox bug is fixed, the content script can be removed without any loss of function, no matter the manifest version.
• As long as the bug isn't fixed Referer Modifier will have to stick with Manifest v2 as long as it's supported. If Manifest v3 becomes mandatory without a fix we'll have to accept that page scripts that access document.referrer early will see an unmodified value.

For example:
$schema
$fulldomain
$rootdomain
$query
etc

This was one can compose custom referer based on original values in cases when it needs to be dynamically constructed.

This particular screen:

I know it's because of referrers because disabling this extension immediately resolved the issue.
I have tried these rules but it doesn't seem to work...(both Keep and Target)

I am using Firefox ESR 78.6.0 on Linux. I found some issues here.

1. A trivial bypass: Reflect.getOwnPropertyDescriptor(Document.prototype, 'referrer').get.call(document);
   Firefox does not actually have the referrer property on the document object, but on its prototype, Document.prototype.

2. Due to Firefox's current limitations, there is a race condition between asynchronous operations in the extension content scripts and the page's scripts.
   It is possible for the site to sometimes grab the original referrer before sending.then(setReferrer, handleError); resolves.

<!DOCTYPE html><html>
<head><title>Test</title></head>
<body>
One <script>document.write(document.referrer);</script><br>
Two <span id="foo"></span><br>
Three <span id="bar"></span>
<script>setTimeout(function() { document.getElementById('foo').innerHTML = document.referrer; }, 0);</script>
<script>setTimeout(function() { document.getElementById('bar').innerHTML = document.referrer; }, 1000);</script>
</body>
</html>

Observe the results, in very fast-loading pages, it is possible for "One" and "Two" to show the original referrer; "One" being more likely to get it.

Currently you have to hover on the options in the dropdown, and not much informations on the extension page itself.

I propose adding these lines (taken from the AMO page) to the extension page.

Keep: Do not modify the Referer
Prune: Send only the origin part of the Referer (scheme, host, and port)
Target: Send the origin of the target URL (scheme, host, and port) as Referer
Remove: Send no Referer at all
Replace: Replace the Referer with a configured value

With the code currently in #68 the settings page will silently discard any rules without a target domain while saving. This is correct behavior (because rules must have a target domain) but may be confusing to users.

A warning message should appear when the user tries to save a rule without a target domain.

The text on the options page is currently written in English only. At least the actual settings UI should be localized, ideally documentation too.

Some reviews on AMO request a feature that RefControl used to have as "forge": Replace the Referer with a fake one for the target domain.

Could probably be implemented by replacing the Referer header with URL.origin of the target URL.

i can import the addon :

fp = webdriver.FirefoxProfile()
path_modify_header = '/path-to/referer-mod.xpi'
fp.add_extension(path_modify_header)

what i should enter in the
fp.set_preference(???)

Shouldn't the default SAME → keep rule include subdomains? I had to whitelist some manually, for example:

api.imgur.com → replace → https://imgur.com/upload

Referer Modifier 0.9
Firefox 92

If two different rules are added, one for example.com and another for subdomain.example.com, will the latter override the former?

The rules are displayed unsorted without any filtering or an ability to search for specific domains or subdomains.

Currently, users can specify a target domain to specify a referer.

It would be very useful to also be able to specify a source domain.

A common use for this is when a site requires complete referers (entire URL) within itself (often for API calls), but the user doesn't want to share external referers when clicking on a link to the site.

Always used the add-on on PC and phone but now I'm unable to download it on Android. It says "This add-on is not available on your platform."
Is this by design?

I'm gonna try to install the xpi directly.

Currently, the user can specify targets such as example.com and www.example.com.

It would also be useful to be able to specify www.example.com/folder/.

Thanks!

I thought I would create a discussion here so people can share which referer modification settings they find beneficial.

Since a default referer of Target seems to work well in almost all cases, let's assume that default, and share exceptions.

Here's the proposed format:
Target | Action | Replacement | Site being Fixed | Functionality Fixed | Date Discovered (because the only thing constant is change)

The "date discovered" can be an approximate if you don't remember.

I'll lead with a few:

cdpn.io | Prune | N/A | All sites containing codepen.io examples | Allow the codepen examples to load | 2020/01/01
signin.ebay.com | Prune | N/A | ebay.com | Logging in | 2021/10/01
hcaptcha.com | Prune | N/A | Don't remember | Allow captcha to work | 2021/01/01

Originally posted by @Gitoffthelawn in #43

I'm not sure if this is a bug or intentional, but secondary/tertiary hosts (e.g. this.that.example.com) do not seem to follow the referer rules being applied to the corresponding subdomain targets (e.g. that.example.com).

You can work around this with regex, but the lack of matching likely will violate user expectations because a target specifier of example.com will match that.example.com.

Please note that I have not 100% verified this issue. I discovered it while working on a real-world scenario, but I don't currently have a web server I can quickly configure for testing.

The options page right now is very much a "works for me" style. It'd be nice to have proper CSS styles, and maybe an updated structure too. Input validation before saving would be a plus.

AMO documentation recommends using the Photon Design System.

Some potential features like source match (#15) or regular expressions (#6) will need room for configuration, so opening a separate setting page instead of including options in the add-on view might be better to have more room.

I'd rather not add any dependencies.

The addon page states the following:

Referer Modifier does not add Referer headers, it only modifies or removes existing ones.

IMHO, when running "replace", then that referrer should always be sent. There could always be a global setting or a checkbox next to the rule indicating whether a referrer header should always be sent.

That's how RefControl used to work.

I'm currently using Referer Control, which has that functionality but isn't maintained and has all sorts of other issues.

Unfortunately, since Firefox switched to the new addon system, yours and the other addons I mentioned is all that is left.

Thank you for all your efforts.

The fun new toolbar button opens the settings page. This is certainly reasonable, but I find I want to toggle the extension's functionality on/off more frequently than I want to change any of its settings. I frequently need to momentarily toggle the extension off to help determine what is causing a broken page to not load as expected.

Would there be a way to allow the toolbar button to toggle the extension's functionality, and have access to its options page via the toolbar button's context menu?