Wrong referrer with "Load URLs typed into the address bar in new tabs"




15 years ago
15 years ago


(Reporter: jericho+mozilla, Assigned: bugs)


Firefox Tracking Flags

(Not tracked)




15 years ago
User-Agent:       Firefox/0.9.2 (Windoze XP; U) [en]
Build Identifier: Firefox/0.9.2 (Windows XP; U) [en]

"Load URLs typed into the address bar in new tabs" is selected (not sure if this
is part of Tabbrowser Preferences 0.6.5 extension or native to Firefox. When I 
type in a new URL, it will load the page in a new tab as expected. However, the
remote web will receive the href as URL of the previous tab, regardless of their

Reproducible: Always
Steps to Reproduce:
1. load www.one.com into tab
2. type www.two.com into address bar
3. check web log of site two.com and notice href of hit shows one.com as referrer

Actual Results:  
forced ~# tail -f /home/admin/access_log | grep spleh - - [21/Jul/2004:04:50:49 -0400] "GET /spleh HTTP/1.1" 404 1932
"http://arbitrary.net/" "Firefox/0.9.2 (Windoze XP; U) [en]"

Notice that "arbitrary.net" shows in the HREF field here, even though that site
(changed for this report) does not link to the site with this log. it is
inhereting the href from the previous tab in firefox that i was looking at.

Expected Results:  
if i manually type a URL into the address bar, it should show no href, just a
direct page load.

forced ~# tail -f /home/admin/access_log | grep spleh - - [21/Jul/2004:05:10:43 -0400] "GET /spleh HTTP/1.1" 404 1906
"-" "Opera/6.03 (Windows 2000; U)  [en]"

I flagged this as 'security' related because in some instances, there is a chance
a user may disclose sensitive information from one tab to a remote site without
realizing it. If the URL/HREF carries any sensitive information such as session
ID, login names, private web space, etc... it would be disclosed to the remote

Comment 1

15 years ago
"Load URLs typed into the address bar in new tabs" is a TBE option, not a
Firefox option.  This is probably a TBE bug.  Do you know how to report bugs in TBE?
Summary: url typed in addressbar provides incorrect href to remote web site → Wrong referrer with "Load URLs typed into the address bar in new tabs"

Comment 2

15 years ago
The reporter is going to tell the author of Tabbrowser Preferences (not TBE, my
mistake) about this bug.  I'm marking this bug INVALID but leaving it
security-sensitive so the extension author has a chance to fix it.
Last Resolved: 15 years ago
Resolution: --- → INVALID

Comment 3

15 years ago
Fixed in TBP 0.6.8.  Making public.
Group: security
You need to log in before you can comment on or make changes to this bug.