removed referrer exception rule for moremorewin.net

[pes10k]

We currently allow referrer headers to be set on moremorewin.net. This site seems abandoned and has a bad cert. This PR removes that domain from the exception list.

Fixes issue brave/brave-browser#327

Submitter Checklist:

• Submitted a ticket for my issue if one did not already exist.
• Used Github auto-closing keywords in the commit message.
• Tagged reviewers and labelled the pull request as needed.
• Request a security/privacy review as needed.

Test Plan:

Reviewer Checklist:

• New files have MPL-2.0 license header.
• Request a security/privacy review as needed.
• Adequate test coverage exists to prevent regressions

[bbondy]

The rule still applies to the http:// scheme though which seems to be still valid. Are you sure this is safe to remove?

[pes10k]

We discussed at the privacy confab and the consensus was that it made sense to remove, since the content on the http site seems to be of little value (images of websites?), the cert on the https site is invalid, and no one had any idea why it was added in the first place or why it'd be useful to send headers to the site

[bridiver]

@snyderp @jonathansampson brave/browser-laptop#7407

I'm not advocating that we keep it because I don't think we should disable it for every random site out there, but just for reference

[pes10k]

This site is semi-popular (https://www.alexa.com/siteinfo/popyard.com),

Do we have some criteria for what sites are worth maintaining exceptions for (ie when the privacy benefit is > the breakage cost)?

[bridiver]

@snyderp I don't think we have any hard criteria for it, but maybe Alexa is a good metric. @bbondy do we have a paid account so we can see estimated uniques?

[bbondy]

not that I know of

[pes10k]

Discussed with @bridiver on Slack, short term next steps for this might be:

• leave PR in the queue for now, and discuss at next Privacy confab
• figure out if we can come up for a domain-popularity threshold, and only consider exceptions for sites above that
• If popyard.com doesn't make the cut, then just remove
• If popyard.com does, then limit the policy to only allow moremorewin.net to receive referrers from popyard.com

[bbondy]

Can you find the original things that landed for browser-laptop to see if there's context on why it was added? Then we can decide from there. I think longer term we want an enhancement to the ad-block filter syntax to dictate default shield settings, and a mode that people can use for be as protective as possible without causing web-compat issues.

[bridiver]

@bbondy see browser-laptop issue linked above

[bbondy]

I'm ok removing but please post a new tracking issue which keeps track of past exceptions and associated issue links. That way if we create a mode later for be as protective as possible without breaking then we can revisit it.

[pes10k]

Sounds good, created tracking issue here: brave/brave-browser#390