Closed
Bug 154062
Opened 23 years ago
Closed 23 years ago
Referrer not sent when posting secure form to a different domain.
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 141641
People
(Reporter: greg, Assigned: security-bugs)
Details
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; T312461)
BuildID: 2002053012
When a secure form is posted to a different domain from the one hosting the
form, an empty referrer string is sent.
This breaks e-commerce functionality on sites that use a payment processor that
requires the form to be submitted only from a certain referrer.
(Yes, I know that depending on referrer info for "security" is lame, but it is
done by major payment processors, including Verisign and Authorize.net. In
some cases, the payment processor *requires* this.)
Reproducible: Always
Steps to Reproduce:
1. Create a secure form with an "action=" pointing to a different domain.
2. Submit the form. (To test this it is not necessary to actually create a
processing script. The action URL doesn't have to exist, but it does have to
go to a real domain where you can see the entry in the server log.)
3. Look at the server logs for the domain the form was submitted to. The
referrer field will be empty.
Actual Results: Log entry after form is submitted by Mozilla. Note the empty
referrer...
k1.domain.com 1.2.3.4 - [24/Jun/2002:20:39:48 -0700] "POST /blah.cgi HTTP/1.1"
404 287 "-" "Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.0.0)
Gecko/20020530"
Expected Results: Here is a log entry from the same form, submitted by IE.
Note that there is a value in the referrer field...
k1.domain.com 1.2.3.4 - [24/Jun/2002:20:40:03 -0700] "POST /blah.cgi HTTP/1.1"
404 287 "https://www.domain2.org/sc/final_confirmation.cgi" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 98; Win 9x 4.90; T312461)"
Comment 1•23 years ago
|
||
*** This bug has been marked as a duplicate of 141641 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•