Closed
Bug 182640
Opened 22 years ago
Closed 22 years ago
Privacy: window.open() in bookmark leaks URL of current page through (wrong!) referrer header
Categories
(SeaMonkey :: Bookmarks & History, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 122668
People
(Reporter: oes, Assigned: bugs)
Details
(Keywords: privacy)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021126
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021126
If a bookmark contains a JS window.open('some-URL'), then the resulting request
for some-URL will have a Referer header field which discloses the URL of the
page which was loaded when the bookmark was clicked.
This is wrong in that it
- violates RFC 2606: "The Referer field MUST NOT be sent if the Request-URI
was obtained from a source that does not have its own URI, such as input
from the user keyboard.",
- discloses information about the user in an unexpected way, which makes it
a privacy problem, IMHO,
- interferes with Privoxy, which relies on an empty Referer if a bookmark
was used.
Reproducible: Always
Steps to Reproduce:
1. Store e.g.
javascript:void(window.open('http://validator.w3.org/check/referer','foo',''));
as a bookmark.
2. Go to http://www.yahoo.com/
3. Click the bookmark
4. Convince yourself that validator.w3.org has received a Referer header field
containing http://www.yahoo.com/
Actual Results:
A Referer field was sent with the request
Expected Results:
No Referer field should have been sent with the request
*** This bug has been marked as a duplicate of 122668 ***
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
|
||
Updated•20 years ago
|
Product: Browser → Seamonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•