Loosen referer spoofing to allow use of Google Hangouts web app?

[collinbarrett]

I know, any privacy-conscious user would not use Hangouts for messaging. But, assuming I have to...

With the default user.js file, the Google Hangouts web app does not allow sending messages. Receiving messages works just fine. Upon inspection of the errors in the Firefox console, it seems that the referer spoofing configuration (such as discussed in #227) might be the root cause. See the json error response below. Can anyone suggest a slightly looser configuration for the referer options to balance privacy with working Hangouts? Let me know if more information is needed.

Thanks!

{
 "error": {
  "errors": [
   {
    "domain": "usageLimits",
    "reason": "ipRefererBlocked",
    "message": "The referrer https://clients6.google.com/voice/v1/users/@me/account?checkHangoutsCallingPermission=false&key=[REDACTED]&locale=en&alt=protojson does not match the referrer restrictions configured on your API key. Please use the API Console to update your key restrictions.",
    "extendedHelp": "https://console.developers.google.com/apis/credentials?project=[REDACTED]"
   }
  ],
  "code": 403,
  "message": "The referrer https://clients6.google.com/voice/v1/users/@me/account?checkHangoutsCallingPermission=false&key=[REDACTED]&locale=en&alt=protojson does not match the referrer restrictions configured on your API key. Please use the API Console to update your key restrictions."
 }
}

[collinbarrett]

I just tested the relaxed branch, and it did not resolve this issue.

[fmarier]

Can anyone suggest a slightly looser configuration for the referer options to balance privacy with working Hangouts?

Try the recommended settings on https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/ and please let me know if it works.

[collinbarrett]

Thanks, @fmarier !

I first tried without success:

• network.http.referer.spoofSource=false
• network.http.referer.XOriginPolicy=2

Then, I tried with success:

• network.http.referer.spoofSource=false
• network.http.referer.XOriginPolicy=1

[fmarier]

Thanks @collinbarrett.

Would you mind also testing this configuration?

• network.http.referer.spoofSource=false
• network.http.referer.XOriginTrimmingPolicy=2

The reason is that we're currently running an experiment to see if anything would break if we changed the default referrer setting in Firefox. Reports like yours are very useful to us.

[collinbarrett]

I can confirm that the Google Hangouts web app works with this setting as well:

• network.http.referer.spoofSource=false
• network.http.referer.XOriginTrimmingPolicy=2

[fmarier]

Thanks @collinbarrett !

[nodiscc]

@collinbarrett I think you could reopen this issue, I'd like to improve the relaxed branch with a reasonably hardened setting, that does not break commonly used web services. I'd have to check your proposed settings, and fmarier's blog post again but it looks like a decent compromise, if @pyllyukko agrees of course.

For reference my own config is just

• network.http.referer.spoofSource=false
• network.http.referer.XOriginPolicy=2

I don't alter network.http.referer.XOriginTrimmingPolicy. Unfortunately I am not able to test Google Hangouts right now. What would be the best combination for the relaxed branch?

[collinbarrett]

Re-opening per @nodiscc pending feedback from @pyllyukko . My immediate issue is resolved by customizing user.js, but maybe the user.js default should be relaxed?

[nodiscc]

maybe the user.js default should be relaxed

The setting in the default/master branch is fine as it is the most hardened configuration (do not send referer information at all).

However the setting in the relaxed branch could probably maybe be changed so that the minimal required HTTP referer information is sent (eg. still send a referer when staying on the same domain, since the service can track you anyway via plain web access logs), preventing functionality breakage.

I don't know if that's possible.

[savyajha]

I've found that changing network.http.referer.XOriginTrimmingPolicy from 0 to anything else seems to break Twitter. I cannot tweet anything - it just gives me an error.

[fmarier]

still send a referer when staying on the same domain, since the service can track you anyway via plain web access logs

That's network.http.referer.XOriginPolicy = 2 but that's not enough for Hangouts apparently since Google uses different sub-domains.

That said, network.http.referer.XOriginPolicy = 1, which does work with Hangouts, is pretty much equivalent from a privacy point of view. If Google can see you in their access logs when you access their server, they can most likely also see you in their access logs on a different server they own.

[fmarier]

@savyajha It works for me. Are you sure you don't have other referrer settings that interfere?

[savyajha]

@fmarier My bad, you're right. I must have confused some other pref with this one for one of the network.http.referer.* preferences destroyed my ability to tweet when tweaked.

[Atavic]

See: ClearURLs/Addon#17 (comment)

[pyllyukko]

59cce16