Closed Bug 242656 Opened 20 years ago Closed 20 years ago

referer http header should not be sent when a new window is opened by javascript code

Categories

(Core :: Security, enhancement)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: io, Assigned: security-bugs)

References

(
URL
)

Details

Attachments

(1 file)

links
309 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040316
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040316

The "referer" http header should not be sent when security can be compromised
(rfc2616 - 15.1.3).

Unsecure situations could be:
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;q178066)

"...Internet Explorer will not send the Referer header for each of the following
example hyperlinks from one document URL to another document URL:
1- javascript:somejavascriptcode --> http://example.microsoft.com
2- file://c:\alocalhtmlfile.htm  --> http://example.microsoft.com
3- https://example.microsoft.com --> http://www.microsoft.com..."

Case 1 is not actually supported by Mozilla: if a javascript opens a new window,
ie window.open(someurl), Mozilla sends the referer http header (Internet
Explorer doesn't)
Since the above mentioned RFC paragraph doesn't specify what are "unsecure
situations" (other than passing from https to http, obviously), Mozilla should
provide at least a security toggle switch to allow/unallow referer http header
being sent when some javascript code opens a new url.

Reproducible: Always
Steps to Reproduce:
Ignore my previous comment.
Why is that an insecure situation, exactly?
According to the reference (RFC 2616 15.1.3), "Because the source of a link
might be private information or might reveal an otherwise private information
source, it is strongly recommended that the user be able to select whether or
not the Referer field is sent." (e.g., you don't want to publish the location of
a file on your local hard drive, AIUI)
Yes, but we already have a pref to control this, and a file:// referrer will
NEVER get sent to an http:// URI, no matter what the pref setting is.  So the
question remains, why is this a security-sensitive situation any more than any
other window.open() call?  Note that not sending referrer on window.open in
general _will_ break sites.
(In reply to comment #3)
> Why is that an insecure situation, exactly?

I don't yet know, I'm still thinking about that... we should ask Microsoft ;)
Does IE send referrer if the window.open is just done via an onclick, say, not
via a javascript: url?
Attached file links 
MSIE 6.0 doesn't send referrer in both cases (onclick event and javascript:
link).
But it sends it on <a href="" target="_blank">?

In short, I just see a bug in IE, not a security issue in Mozilla...
(In reply to comment #9)
> But it sends it on <a href="" target="_blank">?

yes

> In short, I just see a bug in IE, not a security issue in Mozilla...

it's not a bug since Microsoft documented this here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q178066
and this behaviour is the same from IE4.x to IE6.x
Microsoft explicitly decided, for security reasons (without specifying exactly
which ones), to not send the referer when a javascript opens an url.
> it's not a bug since Microsoft documented this here:

They don't document onclick there, do they?  So I don't see what this document
has to do withthe discussion.  We're talking about IE not sending referrer for
window.open() in general (whereas in the same exact circumstances, it'll send it
if you set document.location instead of opening a new window).  Hence the bug in
IE -- inconsistent treatment of basically same methods of opening a URI.

We do _exactly_ the sort of protocol filtering they talk about (look it up in
nsHttpChannel:SetReferrer!), but "javascript:foo" is not treated as a separate
"site" (like it apparently is in IE) because it's not -- it's just JS running on
the page in question.  Again, all they "decided" is that they can't tell what
the original URI was so their same-scheme policy blocks it.  That's fine, but
that's not a security decision, it's a bug.

I'm marking this invalid, since I don't believe we need to be emulating the IE
bugs and we already implement a security policy identical to that document,
modulo the aforementioned IE bugs.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
*** Bug 283619 has been marked as a duplicate of this bug. ***
*** Bug 359851 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: