Closed
Bug 182640
Opened 22 years ago
Closed 22 years ago
Privacy: window.open() in bookmark leaks URL of current page through (wrong!) referrer header
Categories
(SeaMonkey :: Bookmarks & History, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 122668
People
(Reporter: oes, Assigned: bugs)
Details
(Keywords: privacy)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021126 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021126 If a bookmark contains a JS window.open('some-URL'), then the resulting request for some-URL will have a Referer header field which discloses the URL of the page which was loaded when the bookmark was clicked. This is wrong in that it - violates RFC 2606: "The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard.", - discloses information about the user in an unexpected way, which makes it a privacy problem, IMHO, - interferes with Privoxy, which relies on an empty Referer if a bookmark was used. Reproducible: Always Steps to Reproduce: 1. Store e.g. javascript:void(window.open('http://validator.w3.org/check/referer','foo','')); as a bookmark. 2. Go to http://www.yahoo.com/ 3. Click the bookmark 4. Convince yourself that validator.w3.org has received a Referer header field containing http://www.yahoo.com/ Actual Results: A Referer field was sent with the request Expected Results: No Referer field should have been sent with the request
*** This bug has been marked as a duplicate of 122668 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Updated•20 years ago
|
Product: Browser → Seamonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•