Regarding referrer, browsers send the `Origin` header on WebSocket connections, revealing the domain name of the client app. Other resources can be loaded without referrer/origin through `Referrer-Policy`. This does not affect the WebSocket `Origin` header.
I did some testing and found a trick: Put the WebSocket client in a sandboxed iframe.
Demo here: https://sha.femtol.net/dev-tests/ws-origin/iframe-sandbox.html (use the browser's network console).
Tested and works on both Firefox and Chromium. It might not work on older Firefox browsers, though.
shafemtol /
npub1mh…anahj
2023-02-28 17:10:48
in reply to nevent1q…d6z2
Author Public Key
npub1mh94j7j7nwvzl7kwcg70fhxe67kdy50fccakmueq9jjf77zmc25svanahjPublished at
2023-02-28 17:10:48Event JSON
{
"id": "04e2ac90fd2b3d95c99d8bcf07d8146e4766921e7ae2ee7e8f2f75329190cb0e",
"pubkey": "ddcb597a5e9b982ffacec23cf4dcd9d7acd251e9c63b6df3202ca49f785bc2a9",
"created_at": 1677600648,
"kind": 1,
"tags": [
[
"e",
"922ffd7b3508545c85a222331a0c578337ba8f3a895632e78f6892bbdde9cbfc",
"",
"root"
],
[
"p",
"9a39bf837c868d61ed8cce6a4c7a0eb96f5e5bcc082ad6afdd5496cb614a23fb"
]
],
"content": "Regarding referrer, browsers send the `Origin` header on WebSocket connections, revealing the domain name of the client app. Other resources can be loaded without referrer/origin through `Referrer-Policy`. This does not affect the WebSocket `Origin` header.\n\nI did some testing and found a trick: Put the WebSocket client in a sandboxed iframe.\n\nDemo here: https://sha.femtol.net/dev-tests/ws-origin/iframe-sandbox.html (use the browser's network console).\n\nTested and works on both Firefox and Chromium. It might not work on older Firefox browsers, though.",
"sig": "269ecc35f1ea0e23563400f9a59e216d13db0549f49d35fa193fe5844fb20e0511cdfbbf43ef2077a4500ceca77372101f061e5d47a067486fe25a0e8e710ad4"
}