Closed
Bug 56977
Opened 24 years ago
Closed 23 years ago
When using https the http_referrer is not used correclty
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
VERIFIED
INVALID
mozilla0.9.4
People
(Reporter: philipp.von-dahl, Assigned: darin.moz)
References
()
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20001010 BuildID: 2000091312 Inside the commerzbank online banking application the http_referrer is used for security reasons. The error messages I get when using mozilla m18 indicate that the http_referrer is not used correctly when using https. It works when using http but not https. No such errors with mozilla m17, but also with Netscape PR3 on Linux. Reproducible: Always Steps to Reproduce: Sorry I can't give you any instructions here but you would need an account at commerzbank (Germany). Actual Results: I'm getting the Error message our application gives when someont tries to "jump into the application from outside" that means the application does not get the http_referrer it expects. Expected Results: Display the next page For further questions mail: philipp.von-dahl@commerzbank.com
Comment 1•24 years ago
|
||
Confirming for triage by gagan. Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 2•24 years ago
|
||
Reporter: can you please verify this bug against the official netscape 6.0 release? thanks!
Reporter | ||
Comment 3•24 years ago
|
||
Yes, same behaviour with the official Netscape 6. However, further testing revealed, that the problem is not using https but frames (with http and https). When using frames, the HTTP_REFERER is used for the page containing the frameset, but no HTTP_REFERER is given for the frames itself.
http bugs to "Networking::HTTP"
Assignee: gagan → darin
Component: Networking → Networking: HTTP
Target Milestone: --- → M19
Comment 5•24 years ago
|
||
I think we're seeing this bug also, but I can't tell you what site (yet) because its not launched. However netscape 6 does seem to be leaving the referer null when switching http->https. Ask me again in mid February if you need to know which site.
Reporter | ||
Comment 6•24 years ago
|
||
The Problem seems to be solved when using the nightly build from 9th February 2001 (Windows).
Assignee | ||
Comment 7•24 years ago
|
||
Resolving as FIXED, please reopen if bug returns.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 8•23 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1 Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3) Gecko/20010801 Referer Not Sent From HTTPS:// HTTP:// -> HTTPS:// Pass HTTP:// -> HTTP:// Pass HTTPS:// -> HTTP:// Fail HTTPS:// -> HTTPS:// Fail
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Can you clarify what that chart means? I'm assuming you mean getting a (http or https) URL from a (http or https) URL. Do you mean PASS = send the header, or PASS = tested correctly?
Comment 10•23 years ago
|
||
Sorry, To clarify From To http_referer Sent -------- -------- ----------------- HTTP:// -> HTTPS:// Yes HTTP:// -> HTTP:// Yes HTTPS:// -> HTTP:// No HTTPS:// -> HTTPS:// No Where "From" is the Protocol used to request the initial page and "To" is the Protocol used to request the linked page.
Assignee | ||
Updated•23 years ago
|
Status: REOPENED → ASSIGNED
Priority: P3 → P1
Target Milestone: --- → mozilla0.9.4
Assignee | ||
Comment 11•23 years ago
|
||
the spec says that for HTTPS->HTTP, the referrer should not be sent. but from HTTPS->HTTPS it does not make any restrictions, so we should fix only this case.
Assignee | ||
Comment 12•23 years ago
|
||
after discussing this with some of the security folks, i think i agree with our current HTTPS referrer behavior. so, i'm closing this bug out as INVALID.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 23 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 13•23 years ago
|
||
Darin, could you please elaborate a bit further why you think a referer shouldn't be sent when using https? Regards Philipp
Comment 14•23 years ago
|
||
I am also confused about this decsision, especially since this bug is produced when going from one page to the next on the same box (during the same "secure session" as it were). This is especially troubling since every other browser does this. I am of the understanding that while there may be no explicit requirement to send a referer under these circumstances, there is no explicit requirement NOT to either. From searching through the other HTTP_REFERER related bugs I have deduced that this lack of behavior will undoubtably break validation code in several Financail, banking and *ahem* "Adult" sites. Not Good.
Assignee | ||
Comment 15•23 years ago
|
||
a HTTPS referrer will be sent to the same site, but not when switching sites.
Comment 16•23 years ago
|
||
If you go to this page: https://www.protusfax.com/protus/test/test_ref1.asp There will be the page referer (if any) pulled out via ASP, and a relative link to test_ref2.asp in the same directory. test_ref2.asp & test_ref1.asp are exactly the same, except that their links po9int to the other page. In Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3) Gecko/20010801 (release 0.93) the referer is never sent. Just so that there's no confusion, here is the back end ASP code: [----CODE------] <html> <head> </head> <body> <%Response.Write "Referer=" & Request.ServerVariables("HTTP_REFERER")%><br> <br> <a href="test_ref1.asp">HTTPS:// -> HTTPS:// (same box - relative link)</a> </body> </html> [----CODE------] This bug should be reopened.
Assignee | ||
Comment 17•23 years ago
|
||
if you try testing a more recent nightly build, you'll notice that the bug you describe has been fixed. it was not fixed in mozilla 0.9.3.
Comment 18•23 years ago
|
||
Yep, the https->https case was fixed in bug 89995.
You need to log in
before you can comment on or make changes to this bug.
Description
•