Tor Browser referers register

checking my connection I noticed that tor browser showed some flaws, the message is the following: “Your browser records referers [?] and sends them. The next site was able to track from which previous site you came from. You may want to disable referer recording.”

how can I prevent this from happening by changing the parameters with about: config?


This website is protected against spoofing by DNSSEC and DANE. You may like to use a validator add-on for your webbrowser, to verify the connections integrity.


To reference your current IP-address to its probable geographic location, two services are used, MaxMind and WIPmania. From MaxMind the "GeoLite Country" offline database file is used and from WIPmania we use their API (?)
If those providers offer different opinions, we do our own whois based lookup to support one opinion or give a third one.


If you're planning to visit password protected sites on non-encrypted connections, keep in mind that some exit-nodes record the passwords and possibly use them for abuse! Also all other transferred data is possibly recorded and misused!

Known issue on this, linked [here].


Most banks and similar institutions (paypal for example) are using extended fraud countermeasures, like IP-origin plausibility checks and anonymous server blacklistings. Therefore you risk to get your bank account locked for securitiy reasons by using the Tor-network.


If you're planning to visit fraud critical HTTPS/SSL-secured sites (Banks for example) and that specific site is querying you unexpectively about accepting a new SSL-Certificate, be highly alertet! Check the Certificate data or better try another EXIT-node first! There are some rumors around, that some EXIT-nodes are trying to fake/highjack such HTTPS/SSL-connections!


This conclusion is valid only for your current webbrowser connections and not general for all other applications, because they each depend on an individual configuration which cannot be checked here!

Are you running a Tor server node (by pressing 'act as server' on Vidalia, f.e.) AND is this your Home-IP? Then you're most probably NOT using Tor to reach the web! In this case I cannot make a clear decision for you. You are at you own, to compare your ISPs given IP and the above shown IP by yourself (if they are different, you are using Tor).

Hi mikelosat

You can modify network.http.referer.XOriginPolicy and/or network.http.referer.spoofSource in about:config. Take a look at this Tor Project ticket.

1 Like

@mikelosat whenever you notice flaws in Tor Browser, let upstream know because we intentionally do not modify it to preserve the same fingerprint as all Tor Browser users.

1 Like

Please have a look:

1 Like

I’d recommend against changing the defaults of the Tor Browser as it will make you stand out from other Tor Browser users.

The Tor Browser purposefully doesn’t block referer headers.

Nearly every DNS server will use DNSSEC anyway so a browser extension would be useless. Also, adding an extension to the Tor Browser may change it’s fingerprint and make you stand out from other Tor user and the extension might leak outside of Tor, de-anonymizing you.

This is possible but there are thousands of Tor nodes and the likelihood that you’ll ever come across a malicious one is very small. The network is periodically checked for malicious nodes and as soon as one is found, it will be blacklisted from the network. If you use https or an onion service then this is impossible as https encrypts the connection further and onion services don’t even use exit nodes. Around 80% websites use https and all popular ones do.

This is why you should never try to access your bank through Tor, a VPN or similar.

Performing a MITM attack is hard to do and very obvious, any node attempting to do this will be blacklisted from the network pretty quickly. HTTPSEverywhere (an extension the Tor Browser uses) will also protect against these unless you disable it.

Tl;dr: You probably shouldn’t listen to this website.

1 Like

I followed the third point of the configuration on the Tor Browser, I seem to have understood that it is not possible to block the referrer totally so the third option is that which increases security, I wonder why it is not already applied by default to implement security more web?

Lowest: no referrer restrictions (network.http.referer.XOriginPolicy=0) and no spoofing (network.http.referer.spoofSource=false)

Medium-low: send referrer only if base domains match (network.http.referer.XOriginPolicy=1) but don’t change it (network.http.referer.spoofSource=false)

Medium-high: send referrer only if base domains match (network.http.referer.XOriginPolicy=1) and point it to the target url (network.http.referer.spoofSource=true),
or: send unchanged referrer but only if hosts match (network.http.referer.XOriginPolicy=2 and network.http.referer.spoofSource=false)

Highest: send referrer only if hosts match (network.http.referer.XOriginPolicy=2) and point it to the target url (network.http.referer.spoofSource=true)

Hi mikelosat

In many cases it may seen like a security enhancement is a no-brainer when it comes to implementing. In this case, one of the reasons comes down to a usability vs. secruity trade-off . Meaning this setting can break websites. This is the same reason NoScript is not set to Block scripts globally by default.

As HulaHoop mentioned this is something that you should take up with upstream (Tor project) and using this configuration will alter your fingerprint which can(will) degrade anonymity.


DNS security is a charade. The system is so centralized and easy to manipulate that the new encryption extensions are a waste of everybody’s time.

1 Like

Tor is an anonymizer developed by The Tor Project. Tor Browser is a web browser
developed by the Tor Project optimized for privacy. Please don’t substitute writing Tor when you mean Tor Browser or the confusion will be perfect.

1 Like