Closed
Bug 130170
Opened 22 years ago
Closed 22 years ago
Http referrer from https should also be supplied when the target is another SECURE server
Categories
(Core Graveyard :: Security: UI, defect, P2)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 128213
psm2.2
People
(Reporter: jeff.qiu, Assigned: ssaux)
Details
Quoted from a feedback from Bank of America: " Sun folks, We are having a problem with Netscape6 in one of our applications. The application is SSL, and requires "HTTP_REFERER" environmental variable to determine where the user is coming from, and takes action appropriately (the sites from which the users will be coming are also SSL). The problem is that Netscape 6 does not appear to supply HTTP_REFERER for SSL - when tested with pure unencrypted HTTP pages, the REFERER value is set appropriately, but going from SSL site to SSL site, it is not set. What is the cause of this behavior? Other browsers, including previous releases of Netscape, handle referers correctly regardless of encryption. Is there any setting in the browser that will alter this behavior? " See bug 89995, we will send the referrer from https when the request is to the same SSL server. But if the target is another secure server, the referer will be removed, which causes the problem.
Some words from RFC2616, 15.1.3: " Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol. " Maybe we go too far again.
Assignee | ||
Comment 2•22 years ago
|
||
The fix from bug 89995 was in netwerk. Maybe we go too far in this, but servers should not use referer for functionality. The current implementation will shield the user from a malicious advertisement from a login page which uses the get protocol. cc mstoltz, darin. Certainly the previous fix could be changed to pass the referrer in that case.
Priority: -- → P2
Target Milestone: --- → 2.2
Version: 1.01 → 2.0
Comment 3•22 years ago
|
||
exactly, and it is a user preference to send Referer headers. RFC2616 is specific in saying that HTTP user-agents should provide a mechanism to allow users to disable sending referrers. the websites are definitely in error for depending on this feature. that said, see bug 128213... vinay has posted a patch to add a preference for allowing cross-https referrers. by default, this is still blocked... but now users can unblock it if necessary to use some particular website. we might want to dupe this bug and/or evangelize BofA.
Comment 4•22 years ago
|
||
The bug of which this is a dupe seems to have a patch for everything -- optionally sending referrer between different secure servers AND sending referrer betweeen the same server pages. *** This bug has been marked as a duplicate of 128213 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•