use tab.update instead of redirectUrl to vanish referer

[garywill]

trafficstars

Skip redirect by returning redirectUrl will increase some privacy risk.

Without this addon, clicking a link in https://forum.com/post-xxxxxx which is originally to https://redirect.forum.com/dest=http://badsite.com. badsite.com can't see visitor's source postid from referer. The referer is just https://redirect.forum.com/.

After changing target url by returning a redirectUrl, the referer will expose visitor's source https://forum.com/post-xxxxxx

So, use tab.update to make referer empty

[sblask]

I am wondering whether this is right. I couldn't find a way to set a referrer manually, but using tab.update seems like a big change. Even if it works I'd expect to either set the requests to non-blocking or return cancel instead of nothing.

[garywill]

return cancel instead of nothing

Your idea is right. I also think returning cancel is the right way. Returning cancel means canceling the original request and let the tabs.update navigates tab to a new url.

But there seems to be a Firefox bug. Returning cancel makes the tabs.update canceled also. On Chrome there's no such bug.

This is another of my addon, I did this: https://github.com/garywill/autoReferer/blob/84f17e1be5f57c9684b5fe163cc93941d02d96b2/g_background.js#L127-L131

Guess we need to file a bug to Mozilla:

• Need a way to redirect a request with no referer
  1. Add an option, like return { redirectUrl: xxxxxxxxx, noReferer: true }
  2. Fix the bug that returning cancel also cancels the tabs.update