Closed Bug 130170 Opened 22 years ago Closed 22 years ago

Http referrer from https should also be supplied when the target is another SECURE server

Categories

(Core Graveyard :: Security: UI, defect, P2)

1.0 Branch
defect

Tracking

(Not tracked)

VERIFIED DUPLICATE of bug 128213
psm2.2

People

(Reporter: jeff.qiu, Assigned: ssaux)

Details

Quoted from a feedback from Bank of America:
"
Sun folks,

We are having a problem with Netscape6 in one of our applications.  

The application is SSL, and requires "HTTP_REFERER" environmental variable
to determine where the user is coming from, and takes action appropriately
(the sites from which the users will be coming are also SSL).

The problem is that Netscape 6 does not appear to supply HTTP_REFERER for
SSL - when tested with pure unencrypted HTTP pages, the REFERER value is set
appropriately, but going from SSL site to SSL site, it is not set.

What is the cause of this behavior?  Other browsers, including previous
releases of Netscape, handle referers correctly regardless of encryption.
Is there any setting in the browser that will alter this behavior?
"

See bug 89995, we will send the referrer from https when the request is to the
same SSL server. But if the target is another secure server, the referer will 
be removed, which causes the problem.
Some words from RFC2616, 15.1.3:
"
   Clients SHOULD NOT include a Referer header field in a (non-secure)
   HTTP request if the referring page was transferred with a secure
   protocol.
"

Maybe we go too far again.
The fix from bug 89995 was in netwerk.
Maybe we go too far in this, but servers should not use referer for functionality.

The current implementation will shield the user from a malicious advertisement
from a login page which uses the get protocol.

cc mstoltz, darin.

Certainly the previous fix could be changed to pass the referrer in that case.
Priority: -- → P2
Target Milestone: --- → 2.2
Version: 1.01 → 2.0
exactly, and it is a user preference to send Referer headers.  RFC2616 is
specific in saying that HTTP user-agents should provide a mechanism to allow
users to disable sending referrers.  the websites are definitely in error for
depending on this feature.  that said, see bug 128213... vinay has posted a
patch to add a preference for allowing cross-https referrers.  by default, this
is still blocked... but now users can unblock it if necessary to use some
particular website.

we might want to dupe this bug and/or evangelize BofA.
The bug of which this is a dupe seems to have a patch for everything --
optionally sending referrer between different secure servers AND sending
referrer betweeen the same server pages.

*** This bug has been marked as a duplicate of 128213 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Verified.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.