175092 - [FIXr]ctrl+middleclick in body to open selection in new window sends referer

Status: RESOLVED FIXED

(SeaMonkey :: UI Design, defect, P2)

Description

[Jeremy M. Dolan]

major privacy/security and correctness issue.

load a slashdot page in one tab.
select a bugzilla link in another application.
ctrl+middle-click mozilla to load the bugzilla link in a new tab.
bugzilla slashdot blocked page is shown

Some situations we're feeding sites private URLs.
Some situations we're just feeding sites bogus referer data, corrupting their
links-in, data, and confusing them to how we got from the open page to theirs.

Linux 2002101508.

Comment 1

[Boris Zbarsky [:bzbarsky]]

Attachment: totally untested patch

Comment 2

[Boris Zbarsky [:bzbarsky]]

May as well take this...

Comment 3

[Christian :Biesinger (don't email me, ping me on IRC)]

isn't this a feature?

Comment 4

[Boris Zbarsky [:bzbarsky]]

No.

Comment 5

[Jeremy M. Dolan]

Most excellente señor. No referer sent for current or new tab windows.

And the shift bg toggle works perfect too. I think that fixes another bug
somewhere out there (which I may have filed as well). Tested it with both
settings for load in bg. Beautiful.

*chants one-point-two, one-point-two, one-point-two*

Only one thing I'm not sure of:

         if (saveModifier) {                        // if saveModifier is down
-          saveURL(href, linkNode ? gatherTextUnder(linkNode) : "");
+          saveURL(href, linkNode ? gatherTextUnder(linkNode) : "", null, true);

You added two args to saveURL() and I don't see you changing that function's
prototype anywhere. Don't even know what this block of code does, so I may just
be confused.

Comment 6

[Boris Zbarsky [:bzbarsky]]

Oh, whoops.  These changes:

-          saveURL(href, linkNode ? gatherTextUnder(linkNode) : "");
+          saveURL(href, linkNode ? gatherTextUnder(linkNode) : "", null, true);

+    if (url != "about:blank") {
+      gURLBar.value = url;
+    }

belong to other bugs...

So as far as testing goes, here's what needs to be tested:

1)  referrer is sent when middle-clicking links (tab and window), ctrl-clicking
    links (tab and window), doing "open link in new window/tab" from context
    menu, clicking on links normally.
2)  referrer not sent for middlemouse paste, with or without control key.

I'll try to get to that this weekend...

Comment 7

[Christian :Biesinger (don't email me, ping me on IRC)]

ohhh, you're right, I read that as middle-click on a link / Ctrl+click on a link.
didn't know about ctrl+middleclick...

Comment 8

[Boris Zbarsky [:bzbarsky]]

Attachment: punt the extraneous stuff

I took out the saveURL. I left in the gURLBar thing because it's standalone and
the time it would take me to find the relevant bug is not worth it.  Hopefully
reviewers are OK with it.  ;)

Comment 9

[jag (Peter Annema)]

Comment on attachment 104452 [details] [diff] [review]
punt the extraneous stuff

sr=jag

Comment 10

[Boris Zbarsky [:bzbarsky]]

Fix checked in for 1.3a

Comment 11

[HJ]

Sorry, maybe it's just me but the description for this pref setting is getting
very confusing this way.

all.js:
-------
pref("network.http.sendRefererHeader", 2); // 0=don't send any, 1=send only on
clicks, 2=send on image requests as well

Isn't control-click and/or middle-click just a click?

Comment 12

[Boris Zbarsky [:bzbarsky]]

It's not a click on a _LINK_.  Clicks on bookmarks in the personal toolbar or
the home button are clicks too, and do not send referrer.