[Livehttpheaders] Livehttpheaders: feedback from Anthony Georgeo

notes at mozdev.org notes at mozdev.org
Tue May 23 19:48:13 EDT 2006



I am requesting a feature for your great "livehttpheaders" which will enable HTTP/S environmental variable header filtering.

HTTP/S headers include information about the systems in use. This is bad in regards to security, privacy, crackers, etc.

There are HTTP proxy programs such as "Privoxy" and "Proximodo" which filter HTTP environmental variable headers. Unfortunitly, none of the existing HTTP header filtering solutions are able to filter HTTPS data due to the nature of HTTPS (eg. SSL) encryption.

As Firefox has access to the verified and decrypted 
HTTPS headers FF is in the best position to filter the 
decrypted HTTPS headers on-the-fly.

A Firefox extension may be the best option for HTTP/S header filtering as explained in this quote:

"The only way to do this is via extensions to the 
browser. That way you do not interfere with CRL/OCSP for true cert verification...And you get SSL for free, because your extensions see the web data AFTER the 
browser has performed (optional) rigorous checks to 
make sure the cert has not been revoked or otherwise 

I requested this feature as an extension at 

But, then I found your great extension and I thought 
you may be interested in adding this feature to your extension.  I thought you may be able to implament this feature faster/better than others due to the nature of your "livehttpheaders" extension.

Here are the HTTP/S Environmental Variable Headers that IMO should be filtered or spoofed:

'Referrer' =
Should be spoofed to match the home-page of the 
server/site the user is actively connected to.

'User-Agent' =
Should be user configurable for OS, encryption strength, language, browser, etc 

'Proxy-Connection' =
Should be set to the paramiter "Close"

'Accept-Language' =
Should be user configurable, generally to match the language in "User-Agent".

'Prevent-Compression' =
The FF extension should add a HTTP/S header to each 
request so only uncompressed transfers are requested.

'X-Forwarded-for' =

a.)Should be able to forge "X-Forwarded-for:" headers using random IP addresses from a specified network, to make successive requests from the same client look like requests from a pool of different users sharing the same proxy.

b.) If 'a.)' is not feasable then the next best option is the removal (eg. deletion) of the HTTP/S header "X-Forwarded-for" from client requests and prevent creation of new ones.

Thank you,

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060426 Firefox/

More information about the Livehttpheaders mailing list