From 1c895593263a216356aa924cb15dd1e363fa74db Mon Sep 17 00:00:00 2001
From: curben <2809763-curben@users.noreply.gitlab.com>
Date: Sun, 8 Dec 2019 02:48:35 +0000
Subject: [PATCH] post: 'GitHub now requires web browser to send referer'

---
 source/_posts/github-referer-firefox.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 source/_posts/github-referer-firefox.md

diff --git a/source/_posts/github-referer-firefox.md b/source/_posts/github-referer-firefox.md
new file mode 100644
index 0000000..5f08e2b
--- /dev/null
+++ b/source/_posts/github-referer-firefox.md
@@ -0,0 +1,14 @@
+---
+title: GitHub now requires web browser to send referer
+excerpt: Otherwise it would respond with HTTP Error 422
+date: 2019-12-08
+tags:
+- firefox
+- privacy
+---
+
+Firefox offers a security feature which you can restrict [HTTP referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) from being sent with varying granularity ([docs](https://wiki.mozilla.org/Security/Referrer)). I disabled referer altogether through `network.http.referer.defaultPolicy;0`. Most of the websites that I usually browse work just fine without referer. For website that do require ({% post_link aliexpress-no-login-firefox 'example' %}), I created {% post_link firefox-instances-profiles 'another profile' %} with slightly less strict referer policies.
+
+A website that had always worked without referer was GitHub, until 26 October 2019. At that time, I kept encountering HTTP Error 422 whenever I try to create a new pull request (the [pull request](https://github.com/hexojs/hexo/pull/3800) in question). I later pinpointed the cause to be the referer policy after I managed to create pull request in another Firefox profile and Chromium, that do not have any referer policy in place. I ended up with [duplicate](https://github.com/hexojs/hexo/pull/3801) [pull](https://github.com/hexojs/hexo/pull/3802) requests in the process.
+
+The referer policy I ended up is ``network.http.referer.defaultPolicy;1` (default is `3`) which restricts the referer to the same origin only. This config is compatible with *every* website I've encountered so far, including those that require referer. One thing to note is that website can set referer policy through [Referrer-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy) response header. But a website can only set it to the same or more strict than browser's. For this website, I set it `no-referrer`, the strictest setting equivalent to `network.http.referer.defaultPolicy;0`.