Closed Bug 56977 Opened 24 years ago Closed 23 years ago

When using https the http_referrer is not used correclty

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED INVALID
Milestone:
mozilla0.9.4

People

(Reporter: philipp.von-dahl, Assigned: darin.moz)

References

(
URL
)

Details

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20001010
BuildID:    2000091312

Inside the commerzbank online banking application the http_referrer is used for
security reasons. The error messages I get when using mozilla m18 indicate that
the http_referrer is not used correctly when using https. It works when using
http but not https. No such errors with mozilla m17, but also with Netscape PR3
on Linux.

Reproducible: Always
Steps to Reproduce:
Sorry I can't give you any instructions here but you would need an account at
commerzbank (Germany).

Actual Results:  I'm getting the Error message our application gives when
someont tries to "jump into the application from outside" that means the
application does not get the http_referrer it expects.
Expected Results:  Display the next page

For further questions mail: philipp.von-dahl@commerzbank.com
Confirming for triage by gagan.

Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter: can you please verify this bug against the official netscape 6.0
release?  thanks!
Yes, same behaviour with the official Netscape 6.

However, further testing revealed, that the problem is not 
using https but frames (with http and https).

When using frames, the HTTP_REFERER is used for the page 
containing the frameset, but no HTTP_REFERER is given for
the frames itself.
Blocks: 61660
Blocks: 61687
http bugs to "Networking::HTTP"
Assignee: gagan → darin
Component: Networking → Networking: HTTP
Target Milestone: --- → M19
I think we're seeing this bug also, but I can't tell you what site (yet) because
its not launched. However netscape 6 does seem to be leaving the referer null
when switching http->https.

Ask me again in mid February if you need to know which site.
The Problem seems to be solved when using the nightly build from
9th February 2001 (Windows).
 
Resolving as FIXED, please reopen if bug returns.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726
Netscape6/6.1
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3) Gecko/20010801

Referer Not Sent From HTTPS:// 

HTTP://   -> HTTPS:// Pass
HTTP://   -> HTTP://  Pass
HTTPS://  -> HTTP://  Fail
HTTPS://  -> HTTPS:// Fail
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Can you clarify what that chart means?

I'm assuming you mean
getting a (http or https) URL from a (http or https) URL.
Do you mean PASS = send the header, or PASS = tested correctly?

Sorry,
To clarify

From        To       http_referer Sent
--------    -------- -----------------
HTTP://  -> HTTPS:// Yes
HTTP://  -> HTTP://  Yes
HTTPS:// -> HTTP://  No
HTTPS:// -> HTTPS:// No

Where "From" is the Protocol used to request the initial page
  and "To" is the Protocol used to request the linked page.
Status: REOPENED → ASSIGNED
Priority: P3 → P1
Target Milestone: --- → mozilla0.9.4
the spec says that for HTTPS->HTTP, the referrer should not be sent.
but from HTTPS->HTTPS it does not make any restrictions, so we should fix only
this case.
after discussing this with some of the security folks, i think i agree with our
current HTTPS referrer behavior.  so, i'm closing this bug out as INVALID.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago23 years ago
Resolution: --- → INVALID
Darin,
could you please elaborate a bit further why you think a referer
shouldn't be sent when using https?

Regards
Philipp
I am also confused about this decsision, especially since this bug is produced 
when going from one page to the next on the same box (during the same "secure 
session" as it were).

This is especially troubling since every other browser does this. I am of the 
understanding that while there may be no explicit requirement to send a referer 
under these circumstances, there is no explicit requirement NOT to either.

From searching through the other HTTP_REFERER related bugs I have deduced that 
this lack of behavior will undoubtably break validation code in several 
Financail, banking and *ahem* "Adult" sites.

Not Good.
a HTTPS referrer will be sent to the same site, but not when switching sites.

If you go to this page:
https://www.protusfax.com/protus/test/test_ref1.asp

There will be the page referer (if any) pulled out via ASP, and a relative link 
to test_ref2.asp in the same directory. test_ref2.asp & test_ref1.asp are 
exactly the same, except that their links po9int to the other page.

In Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3) Gecko/20010801
(release 0.93) the referer is never sent.

Just so that there's no confusion, here is the back end ASP code:
[----CODE------]
<html>
<head>
</head>
<body>
<%Response.Write "Referer=" & Request.ServerVariables("HTTP_REFERER")%><br>
<br>
<a href="test_ref1.asp">HTTPS:// -> HTTPS:// (same box - relative link)</a>
</body>
</html>
[----CODE------]

This bug should be reopened.
if you try testing a more recent nightly build, you'll notice that the bug you
describe has been fixed.  it was not fixed in mozilla 0.9.3.
Yep, the https->https case was fixed in bug 89995.
Verified fixed.
Status: RESOLVED → VERIFIED
QA Contact: tever → junruh
You need to log in before you can comment on or make changes to this bug.