Closed Bug 154062 Opened 21 years ago Closed 21 years ago
Referrer not sent when posting secure form to a different domain
(Core :: Security, defect)
(Reporter: greg, Assigned: security-bugs)
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; T312461) BuildID: 2002053012 When a secure form is posted to a different domain from the one hosting the form, an empty referrer string is sent. This breaks e-commerce functionality on sites that use a payment processor that requires the form to be submitted only from a certain referrer. (Yes, I know that depending on referrer info for "security" is lame, but it is done by major payment processors, including Verisign and Authorize.net. In some cases, the payment processor *requires* this.) Reproducible: Always Steps to Reproduce: 1. Create a secure form with an "action=" pointing to a different domain. 2. Submit the form. (To test this it is not necessary to actually create a processing script. The action URL doesn't have to exist, but it does have to go to a real domain where you can see the entry in the server log.) 3. Look at the server logs for the domain the form was submitted to. The referrer field will be empty. Actual Results: Log entry after form is submitted by Mozilla. Note the empty referrer... k1.domain.com 220.127.116.11 - [24/Jun/2002:20:39:48 -0700] "POST /blah.cgi HTTP/1.1" 404 287 "-" "Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.0.0) Gecko/20020530" Expected Results: Here is a log entry from the same form, submitted by IE. Note that there is a value in the referrer field... k1.domain.com 18.104.22.168 - [24/Jun/2002:20:40:03 -0700] "POST /blah.cgi HTTP/1.1" 404 287 "https://www.domain2.org/sc/final_confirmation.cgi" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; T312461)"
21 years ago
*** This bug has been marked as a duplicate of 141641 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.