Open Bug 1772472 Opened 2 years ago Updated 2 years ago

Http requests upgrade to https do not send a Referrer header (CSP upgrade-insecure-requests)

Categories

(Core :: DOM: Security, defect, P3)

Firefox 103
defect

Tracking

()

People

(Reporter: nayinain, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: parity-chrome, Whiteboard: [domsecurity-backlog2])

Attachments

(2 files)

Attached image Firefox.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0

Steps to reproduce:

  1. Open Web Console (Ctrl+shift+K)
  2. Load https://stockpage.10jqka.com.cn/hqmini_v2.html#code=hs_002594&cw=650
  3. Filtering with last.js.
  4. Expand and view the request header details.

Actual results:

There is no Referrer.

Expected results:

Referrer header should exist.

Attached image Chrome.png
Has STR: --- → yes
Keywords: parity-chrome

:nayinain, if you think that's a regression, could you try to find a regression range using for example mozregression?

I bet that we calculated the referrer when it was still an http: link before it was later upgraded -- referrers aren't sent when a secure page makes a request to an http: link.

Component: DOM: Networking → DOM: Security

(In reply to Daniel Veditz [:dveditz] from comment #3)

I bet that we calculated the referrer when it was still an http: link before it was later upgraded -- referrers aren't sent when a secure page makes a request to an http: link.

I think you are right. It seems we stop calculating referer info at this line.

Blocks: csp-w3c-3
Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Summary: Http requests upgrade to https do not send a Referrer header → Http requests upgrade to https do not send a Referrer header (CSP upgrade-insecure-requests)
Whiteboard: [domsecurity-backlog2]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: