[forca]

Sites love to view user history. It helps them build up a profile to sell to marketers. You want to deny sites access to this info if you can, In FF, you can do this by toggling to "false" layout.css.visited_links_enabled under about:config

[tombrossman]

I would prefer not to as I find this useful. What I'm really trying to determine is whether this setting alone is responsible for leaking history metadata.

I'm using Firefox with NoScript and I have Firefox set to clear everything except saved passwords when I close it (which I do frequently). I'm hopeful that is good enough because it looks like JavaScript is needed for the leak to occur, right?

[coniptor]

The site has been down for years but you can find it on The Internet Archive. wtikay.com whattheinternetknowsaboutyou.com

There are some other sites that use the same or slightly different tactics to throw everything against the wall and see what sticks. They read your history right out or your cache using timing or logic to know if you've already visited the sites in question they want to query for. They also read the color values of the links to know if you've visited that link before. This was a known issue that someone brought up 10+ years, no 15+ years ago before we had Firefox and they were working on the not production ready Gecko codebase and still just trying to pass early CSS acid tests. Gecko builds early on had this issue and it was raised and to this day no one has fixed it.

No, I'm not a coder/developer as yet and it is over my head and I don't have the time to research it to devise a solution and send a patch upstream. If I could I have serious doubts it would be mainlined. I have the impression that many in the mozilla organization are for improving security and privacy but that some of them are MORE than happy to sacrifice our privacy for money or simply don't take things as seriously as others.

I found a bug report in bugzilla using google that I can no longer turn up regarding silent basic authentication for tracking: http://user:trackingcookieaspassword@example.com/possiblymor... This is proven and observable at http://ip-check.info. In this bug report someone I believe who works with them submitted a test xpi authtest.xpi to negate/nullify/disable this exploit between sites and only allow it on the same visited domain.

The bug report can no longer be found and all current versions of firefox are still susceptible.

[correcthorse]

Is there a similar option for the referrer?

And while I'm at it, is there a way to prevent a website from rewriting a url when I click on it? sites like Google and DuckDuckGo show the actual url in the href, but when you click it (or right click and copy it) it becomes something like http://example.com/something?url=encoded_real_url and I detest that.

[tombrossman]

Blocking the referrer in Firefox is easy, just go to about:config and search for the string 'network.http.sendRefererHeader' then modify it from the default 2 to a 0 (zero).

For the search links, I use this Add-on and it works perfectly: https://addons.mozilla.org/en-US/firefox/addon/google-search...

[coniptor]

This breaks some sites. None I use. I've read it is a problem for last.fm users because of some social chat thing they use I forget the name of. Anyway. I do this too, kind of. I use either refcontrol or smart referrer. I let sites have referrer on their domain but no 3rd parties by default and can add an exception if I want. You can test this at http://ip-check.info regardless if you're using Tor or not.

I haven't found the time to do it my self yet but will if someone doesn't beat me to porting Window Name Eraser to firefox from chrome. window.name is great for the site your visiting to use on their site. They have absolutely no business using it crossdomain, period. Not even if they own the other domain. There are legitimate ways to do that but they are too lazy, dumb, or opposed to using encryption.

I will allow a fucking cookie if I want to login or allow them to store or gather anything! No supercookies, no flash cookies, no evercookies. I use cookie monster, cookie culler, cookie self-destruct, and Cookie Controller that applies my regular cookie rules/disposition to DOM storage cookies as well.

Browsers, all of them, should behave and act the way they do after I make them go all green on ip-check.info.

In addition to that they have no fucking business knowing what the monitor resolution is. They ONLY need the canvas/inner window of the browser to render their damn site right. I will pull down videos and watch them offline without flash phoning home or to anyone else to give them anything to fingerprint my devices with.

They aren't entitled to this information and I'm against them having it. If I were like Carrie or the Twilight Zone kid who sends people into the Corn field and does other "fun" stuff they would have very good reason to be worried. >=/

[correcthorse]

I see the extension also works with duckduckgo. Thank you very much.