This seems to work pretty well on Google search results. If you haven't noticed, Google search has this anti-feature bordering on the dark pattern where hovering a link shows the correct destination URL but right-clicking it (eg. to copy the destination URL) instantly replaces it with an nested Google redirect (I assume they're doing this for the tracking, statistics, etc.)
After some testing, it appears that this plugin offers better referer hiding than Google's redirect. I've verified that it completely hides the referer, whereas Google at least reveals that you're coming from Google (which makes sense, since website owners will see this and it can encourage them to subscribe to Google Analytics so they can see some of those hidden details).
Also, referer hiding does not justify URL substitution as a result of right-clicking a link. That just forces less savvy users to give Google an additional clickthrough when all they want is the URL.
Hopefully you've verified that the referer hiding is due to the plugin and not your personal settings. That's a great feature in a plugin, since many users appreciate referer hiding being the default for search engine clicks.
Can someone explain why my browser provides referer info at all? Why isn't this a permission I need to give away? What common features that the user needs on the web rely on it?
If you are using Firefox, you can disable referrer info without using a plugin. Here‘s how:
In the URL bar, type the following and press enter:
about:config
Now search for the following entry on the page:
network.http.sendRefererHeader
The default value is 2. Change this to 0. This disables the referrer header.
Note that some sites won‘t allow you to sign in or register if the referrer header is disabled (e.g. Pinterest), so you may have to temporarily enable the referrer header in those instances.
A final point is that this Firefox setting obviously has no effect if referral info is already appended to the URL (as is the case with Google search results).
The default value is false. Change it to true. This causes Firefox to instead submit the website being requested as the referrer; leaking no information, but breaking fewer sites.
It's one of these things that were added once, pages started to rely on it and now nobody wants to turn it off globally because things will break. They've added ways for sites to control if/how much information is sent on outgoing links though in recent browsers.
e.g. in HN's HTML you find
<meta name="referrer" content="origin">
which tells the browser to only send the domain, but not the exact URL.
>What common features that the user needs on the web rely on it?
- Website owners and content creators use the Referer to see where their users are coming from, which allows them to make content which is more suitable, which indirectly benefits the user.
- It helps prevent hotlinking, so it can protect small websites from getting hammered, which again could indirectly benefit the user.
I guess the point is that everyone's a "user" of HTTP, including website owners, and their interests are partly linked to yours. In an objective sense I find the standard still makes sense. In an individualistic sense, things are more complicated.
Note: Because the source of a link may be private information or
may reveal an otherwise private information source, it is strongly
recommended that the user be able to select whether or not the
Referer field is sent. For example, a browser client could have a
toggle switch for browsing openly/anonymously, which would
respectively enable/disable the sending of Referer and From
information.
Not that it should be asked for; just that it should be configurable. Subtle but important difference. Firefox is following this recommendation, but doesn't ask for it explicitly.
Many people consider that to be an important privacy leak.
To put this into perspective: I used to have a webpage which ranked quite highly for searches related to chastity belts. Do you think the average visitor would appreciate me knowing the exact search terms that landed them on my page?
I used to host a site for a local youth sports team.
Almost all the referrer logs from Google Images had search terms like "hot under 13 girls". I banned the Google Image robot from the site, since no useful visitors arrived this way.
Honestly, I trust Joe Random Webmaster a lot more than I trust Google, because some small site manager doesn't already have a vast corpus of data about me.
I actually trust Joe Random Webmaster a lot less than Google. Google has a lot of power, but from past experience, I've run into many privacy issues with malicious or misguided website owners while I'm unlikely to run into a serious one with Google.
At least assuming none of their employees goes very rogue and starts leaking data en masse, or has a personal vendetta against me or something. I know something like that happened once (https://www.wired.com/2010/09/google-spy/), but the odds are probably still pretty low.
Yes, but my adversary in that case is the NSA. Even if Google (or other similar companies) didn't exist, NSA would try to get that data one way or another.
Also, though it may be naive, I believe Google does not intend to cooperate with the NSA any more than they're absolutely legally required to.
By concealing the keywords people were searching for to land on your website, they force content hosters and ad networks to depend on the Google analytics + ads ecosystem. With these keywords, you could gather information about your Google rank for queries.
Whether it's net beneficial for you as a browser owner to pass referrer information - probably it is if you like the people hosting the content you read, as it helps them understand their traffic and improve their service. If you don't like them (probably because they are spam) then this just helps them be more effective spammers.
The refferer can be sensitive both security and integrity wise. Would you like any destination to find out that you came from any of these sites: example.com/admin/?password=xyz or gaymidgetporn.com/forum/how-to-enlarge-penis
On the other hand, if you suddenly have 100 times the traffic an image on your server got hotlinked elsewhere, wouldn't you want to know what is going on? There's upsides and downsides.. I can't really make up my mind what I'd prefer, other than the utopian option of "all users know what they're doing and how to configure their browsers".
I wonder whether Google deliberately makes it hard to copy a real URL to the clipboard or whether it's a careless unintended side effect of tracking context menu open in new tab operations.
There used to be 'Google Tracking-B-Gone' userjs, but it stopped working some time ago. I patched mine locally, also stripping tracking from Image results. Quick googling shows someone updated it recently https://greasyfork.org/en/scripts/1810-google-tracking-b-gon...
I have second version stripping tracking from Gmail links (yes, google tracks your clicks in gmail). Should probably throw them up on github.
I just found & installed the "Copy Real Url" [1] Chrome Extension which adds a context menu item to copy the 'clean' url on Google and other sites. It works well and the code is simple and short.
We do some of that in Ad Limiter, for some ad links. We want to know the real destination site so we can rate it for legitimacy. Ad Limiter puts the real destination URL back into the DOM, so if the user does click on the ad, ad tracking is bypassed. This is just a side effect of rating. But if users like it, we could do more of this.
I'd considered making HEAD requests for all ad links to try to track through all the redirectors and ad services to the final site. That would probably result in lots of fake clicks for advertisers, though. There's also the question of what ad networks do with a HEAD request. Time to look at this again and run some tests.
Despite the name, so does the one that I linked. (I only see a mention of Yandex in the description, but I could have sworn it works on any page using the same tricks.)
Redirector (https://github.com/einaregilsson/Redirector/) lets you create your own rules for all kinds of purposes and have complete control over them (including by testing them against different URLs).
The subject of this thread seems to come preloaded with some a bunch of URLs and strings and doesn't let you create separate manipulation rules. It's literally just a "cleaner".
How would this affect affiliate tracking on a site like Kayak or priceline? Wouldn't it scrub over the affiliate id? Seems like that could be a major headache for sites that use URLs to track referrals/sales.
Nature of the web, really. As a website, you control the content you send out to the user, but that's where it ends. If the client rewrites the content as per the user's needs or wants, that's out of the site owner's control (unless you want an arms race, of course, in which case it's pretty much lost by default for site owners vs all users on the planet)
the only way I can see around this would be to give every affiliate a unique hostname on the target domain. then the site owner would identify the affiliate using the hostname of the incoming request. next step in the arms race would then be for an addon to understand per-domain rules for rewriting hostnames. lather, rinse, repeat.
