Closed Bug 16003 Opened 25 years ago Closed 25 years ago

secure forms requesting "refering URL" not working

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 1582

People

(Reporter: holi, Assigned: gagan)

References

(
URL
)

Details

When I go to http://shadnet.shad.ca, and login with my ID and password (when a
wrong password or ID is entered, you get a wrong username/pswd error, which is
normal and working right) in Mozilla, I get this error:

""""""
ShadNet -- Your refering URL is not allowed.

For security reasons, pages in ShadNet may only be linked to by other pages in
ShadNet. This is especially important when performing FORM processing.

If you are interested in more details, please contact the system administrator
[shadnetadmin@shad.ca] for more information
""""""

I'm using M10 right now, but have noticed the problem on every other previous
nightly builts and releases I used, starting from M3. I'm on Win98, but I am 99%
sure that the problem persists for every other platforms and OSs.

I won't give you my username&pswd for obvious reasons, but I asked the admin and
he made a test page that should normally show the refering URL when one is
provided. Look to: [http://dev.shad.ca/~odin/blah.html]. Netscape 4.61 will
display: "Content-Type: text/html You were referred by:
http://dev.shad.ca/~odin/blah.html" while Mozilla won't display anything.
Component: Security → Form Submission
Assignee: mwelch → warren
This is a referer bug. Reassigning to warren so that he can assign to the proper
person.
Assignee: warren → dougt
Target Milestone: M11
Doug and Gagan should handle this.
the url listed above is no longer valid.
Sorry about that, the admin did a CVS update and it nuked it. The url
[http://dev.shad.ca/~odin/blah.html] is back online now.
Blocks: 13785
Assignee: dougt → gagan
Status: NEW → ASSIGNED
Seems like form submission has broken referer sending. I recall having added
that myself. So am taking over and going to investigate...

My first hunch is that we are using all lower case headers which for some
scripts is bad, even though the spec says its valid. But I am going to hold back
my comments on it till I can figure out whats going on here.
Target Milestone: M11 → M12
m12
Moving Assignee from gagan to warren since he is away.
Moving what's not done for M12 to M13.
Assignee: warren → gagan
Back to Gagan for m13.
Target Milestone: M13 → M14
Setting the keyword all open [4.xp] bugs to 4xp.
Keywords: 4xp
Summary: [4.xP] secure forms requesting "refering URL" not working → secure forms requesting "refering URL" not working
I think this is a dup of bug 1582 - Send HTTP_REFERER value to server. Marking
as such.

*** This bug has been marked as a duplicate of 1582 ***
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
No longer blocks: 13785
Verified duplicate.
Status: RESOLVED → VERIFIED
Component: HTML: Form Submission → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.