proxy.cgi: drop options for faking Referer and User-Agent HTTP headers

While maintaining privacy when accessing web sites probably has never been more important than it is today, faking Referer and User-Agent headers is both obsolete and counterproductive: (a) Most web sites require HTTPS, thwarting manipulation attempts to HTTP headers in transit. Given todays' internet landscape, faking these headers is unlikely to work for the vast majority of web sites. (b) It is trivial to detect faked HTTP User-Agent headers by obtaining corresponding browser information via JavaScript. Any difference most likely indicates (trivial) header manipulation attempts, hence rendering this feature useless if browsers do not behave in the same manner, which we cannot control on IPFire. (c) Especially static Referer headers make users stick out like a sore thumb, as nobody else in the world is likely to have the same Referer set _all the time_. Modern browsers attempt to strip sensitive information from Referer headers, or ditch them completely, particularly to 3rd party sites. Given the state of the web ecosystem as we know it today, enforcing privacy in a centralised manner does not even come close to being sufficient. Without gaining control over users' browsers, their settings, and their infrastructure (such as setting up terminal environments for accessing the web, preventing hardware fingerprinting), a centralised attempt will at best fail, if not making things worse, as highlighted in (c). Therefore, removing these features from the Squid GUI is the least worse option we have. We should not give our users a false sense of privacy. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-26 02:42:58 +02:00 · 2021-06-15 22:29:34 +02:00
parent 7d72dba39d
commit 6323e9086f
10 changed files with 2 additions and 69 deletions
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -226,8 +226,6 @@ $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited';
 $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited';
 $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited';
 $proxysettings{'ENABLE_MIME_FILTER'} = 'off';
-$proxysettings{'FAKE_USERAGENT'} = '';
-$proxysettings{'FAKE_REFERER'} = '';
 $proxysettings{'AUTH_METHOD'} = 'none';
 $proxysettings{'AUTH_REALM'} = '';
 $proxysettings{'AUTH_MAX_USERIP'} = '';
@@ -1629,21 +1627,6 @@ END
 print <<END
 </table>

-<hr size='1'>
-
-<table width='100%'>
-<tr>
-	<td><b>$Lang::tr{'advproxy privacy'}</b></td>
-</tr>
-<tr>
-	<td class='base'>$Lang::tr{'advproxy fake useragent'}:</td>
-	<td class='base'>$Lang::tr{'advproxy fake referer'}:</td>
-</tr>
-<tr>
-	<td><input type='text' name='FAKE_USERAGENT' value='$proxysettings{'FAKE_USERAGENT'}' size='40%' /></td>
-	<td><input type='text' name='FAKE_REFERER' value='$proxysettings{'FAKE_REFERER'}' size='40%' /></td>
-</tr>
-</table>
 <hr size='1'>
 END
 ;
@@ -3846,8 +3829,7 @@ END

 	print FILE "http_access deny  all\n\n";

-	if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off') ||
-		(!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
+	if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off'))
 	{
 		print FILE "#Strip HTTP Header\n";

@@ -3861,31 +3843,9 @@ END
 			print FILE "request_header_access Via deny all\n";
 			print FILE "reply_header_access Via deny all\n";
 		}
-		if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
-		{
-			print FILE "request_header_access User-Agent deny all\n";
-			print FILE "reply_header_access User-Agent deny all\n";
-		}
-		if (!($proxysettings{'FAKE_REFERER'} eq ''))
-		{
-			print FILE "request_header_access Referer deny all\n";
-			print FILE "reply_header_access Referer deny all\n";
-		}

 		print FILE "\n";

-		if ((!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
-		{
-			if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
-			{
-				print FILE "header_replace User-Agent $proxysettings{'FAKE_USERAGENT'}\n";
-			}
-			if (!($proxysettings{'FAKE_REFERER'} eq ''))
-			{
-				print FILE "header_replace Referer $proxysettings{'FAKE_REFERER'}\n";
-			}
-			print FILE "\n";
-		}
 	}

 	if ($proxysettings{'SUPPRESS_VERSION'} eq 'on') { print FILE "httpd_suppress_version_string on\n\n" }