Referrer not sent when posting secure form to a different domain.

RESOLVED DUPLICATE of bug 141641

Status

()

Core
Security
--
major
RESOLVED DUPLICATE of bug 141641
15 years ago
15 years ago

People

(Reporter: Greg McCann, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
x86
Windows ME
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 years ago
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; T312461)
BuildID:    2002053012

When a secure form is posted to a different domain from the one hosting the 
form, an empty referrer string is sent.

This breaks e-commerce functionality on sites that use a payment processor that 
requires the form to be submitted only from a certain referrer.

(Yes, I know that depending on referrer info for "security" is lame, but it is 
done by major payment processors, including Verisign and Authorize.net.  In 
some cases, the payment processor *requires* this.)



Reproducible: Always
Steps to Reproduce:
1.  Create a secure form with an "action=" pointing to a different domain.
2.  Submit the form.  (To test this it is not necessary to actually create a 
processing script.  The action URL doesn't have to exist, but it does have to 
go to a real domain where you can see the entry in the server log.)
3.  Look at the server logs for the domain the form was submitted to.  The 
referrer field will be empty.

Actual Results:  Log entry after form is submitted by Mozilla.  Note the empty 
referrer...

k1.domain.com 1.2.3.4 - [24/Jun/2002:20:39:48 -0700] "POST /blah.cgi HTTP/1.1" 
404 287 "-" "Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.0.0) 
Gecko/20020530"


Expected Results:  Here is a log entry from the same form, submitted by IE.  
Note that there is a value in the referrer field...

k1.domain.com 1.2.3.4 - [24/Jun/2002:20:40:03 -0700] "POST /blah.cgi HTTP/1.1" 
404 287 "https://www.domain2.org/sc/final_confirmation.cgi" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows 98; Win 9x 4.90; T312461)"

Comment 1

15 years ago

*** This bug has been marked as a duplicate of 141641 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.