Closed Bug 162589 Opened 23 years ago Closed 23 years ago

about:cache-entry should not be sent as a HTTP Referer header.

Categories

(Core :: Networking: Cache, defect, P1)

Product:
Core
Component:
Networking: Cache
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.2alpha

People

(Reporter: darin.moz, Assigned: darin.moz)

Details

Attachments

(1 file, 1 obsolete file)

v1.1 patch - forgot about gopher
2.83 KB, patch
bbaetz
: review+
hjtoi-bugzilla
: superreview+
Details | Diff | Splinter Review
1) load about:cache 2) click on a http page that is cached 3) notice that you're looking at an about:cache-entry URL that has the original http or https URL encoded in it. 4) click on the link, and the about:cache-entry URL will be sent as the HTTP Referer header. this is a security concern when the cached URL is a HTTPS redirect to a HTTP site. normally, we don't expose HTTPS URLS to HTTP sites (or other HTTPS sites for that matter). however, because the HTTPS URL is encoded in a about:cache-entry URL, our checks to prevent sending a HTTPS URL as a HTTP Referer would fail.
So we should just add 'about' to the list in nsHTTPChannel? Maybe we're better off with a white list (http, https (sometimes), ftp, gopher) instead of the blacklist....
I agree that white list is much better than black list.
yeah, a whitelist would make a lot more sense. ultimately, however, i was thinking that each nsIProtocolHandler should be able to tell us if it would allow URLs of its type to be sent as a HTTP referrer, but maybe it really should be the HTTP implementation that decides. hmm. anyways, a whitelist would be really easy to implement and it'd keep all of the decisions about HTTP referrers in one place.
Status: NEW → ASSIGNED
Well, we could use another one of the flag bits, although last time I suggested adding a flag to a frozen interface even if 'things' without the flag behaved as before, I got a somewhat mixed reaction... We could try again now that we have a contcrete example to discuss on npm.xpcom, I suppose.
i'm going to go with the white-list approach for now, and let such a discussion go on in parallel... i think it's important to have a quick fix to this bug.
Severity: normal → critical
Keywords: mozilla1.2
Priority: -- → P1
Target Milestone: --- → mozilla1.2alpha
Attached patch v1 patch (obsolete) — Splinter Review
simple whitelist for http referrer: only allows http, https, and ftp. https still follows the same referrer rules. tested against about:cache-entry, and verified that it is no longer sent as a referrer.
Attachment #96781 - Attachment is obsolete: true
Comment on attachment 96782 [details] [diff] [review] v1.1 patch - forgot about gopher gopher forever! r=bbaetz
Attachment #96782 - Flags: review+
Comment on attachment 96782 [details] [diff] [review] v1.1 patch - forgot about gopher sr=heikki
Attachment #96782 - Flags: superreview+
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
verified trunk 09/05/02 - about:cache is not being sent as referer - winNT, linux, mac
Status: RESOLVED → VERIFIED
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: