154062 - Referrer not sent when posting secure form to a different domain.

Status: RESOLVED DUPLICATE of bug 141641

(Core :: Security, defect)

Description

[Greg McCann]

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; T312461)
BuildID:    2002053012

When a secure form is posted to a different domain from the one hosting the 
form, an empty referrer string is sent.

This breaks e-commerce functionality on sites that use a payment processor that 
requires the form to be submitted only from a certain referrer.

(Yes, I know that depending on referrer info for "security" is lame, but it is 
done by major payment processors, including Verisign and Authorize.net.  In 
some cases, the payment processor *requires* this.)



Reproducible: Always
Steps to Reproduce:
1.  Create a secure form with an "action=" pointing to a different domain.
2.  Submit the form.  (To test this it is not necessary to actually create a 
processing script.  The action URL doesn't have to exist, but it does have to 
go to a real domain where you can see the entry in the server log.)
3.  Look at the server logs for the domain the form was submitted to.  The 
referrer field will be empty.

Actual Results:  Log entry after form is submitted by Mozilla.  Note the empty 
referrer...

k1.domain.com 1.2.3.4 - [24/Jun/2002:20:39:48 -0700] "POST /blah.cgi HTTP/1.1" 
404 287 "-" "Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.0.0) 
Gecko/20020530"


Expected Results:  Here is a log entry from the same form, submitted by IE.  
Note that there is a value in the referrer field...

k1.domain.com 1.2.3.4 - [24/Jun/2002:20:40:03 -0700] "POST /blah.cgi HTTP/1.1" 
404 287 "https://www.domain2.org/sc/final_confirmation.cgi" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows 98; Win 9x 4.90; T312461)"

Comment 1

[Jesse Ruderman]

*** This bug has been marked as a duplicate of 141641 ***