Closed
Bug 258185
Opened 20 years ago
Closed 19 years ago
Current referer sent when pressing shift-enter in location field
Categories
(SeaMonkey :: UI Design, defect, P1)
SeaMonkey
UI Design
Tracking
(Not tracked)
RESOLVED
FIXED
seamonkey1.0alpha
People
(Reporter: bugzilla.mozilla-sp, Assigned: Biesinger)
References
Details
(Keywords: privacy, Whiteboard: [sg:nse])
Attachments
(1 file, 1 obsolete file)
5.35 KB,
patch
|
neil
:
review+
jag+mozilla
:
superreview+
dveditz
:
approval1.8b2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040704 Debian/1.4-2 StumbleUpon/1.76 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040704 Debian/1.4-2 StumbleUpon/1.76 Mozilla sends the last URL that was generated by the sidebar as Referer when entering another URL in the location field and pressing Shift-Enter (for download). Reproducible: Always Steps to Reproduce: 1. Open sidebar 2. Use google-search in sidebar, look for "testing" 3. Type http://server.whose.access.log.i.can.read/foobar in the location field and press shift-enter Actual Results: access.log on the server: Referer will be set to "http://www.google.com/search?q=testing&sourceid=mozilla&start=0&start=0&ie=utf-8&oe=utf-8" Expected Results: Referer should have been empty
Reporter | ||
Comment 1•20 years ago
|
||
I also have seen this bug when using Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko /20040803 so it's not Linux- or Debian- related, I guess.
Keywords: privacy
Assignee | ||
Comment 2•20 years ago
|
||
> Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803
did you install any extensions on that build?
Reporter | ||
Comment 3•20 years ago
|
||
No extensions were installed on the Windows-build at that time.
Comment 4•20 years ago
|
||
Privacy issue, but not an exploit: clearing security flag. Has nothing to do with sidebar, it appears to be whatever happens to be in the content window is sent when you shift-enter (download/save) the location bar url. It should not send the referrer, just as we don't if you type into the location bar and load it into the browser window. Could be embarassing :-) 0[263f18]: http request [ 0[263f18]: HEAD / HTTP/1.1 0[263f18]: Host: www.mozilla.org ... 0[263f18]: Referer: http://www.google.com/search?hl=en&ie=UTF-8&q=bedwetting&btnG=Google+Search 0[263f18]: ]
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: sidebar-URL is sent as referer when pressing shift-enter in location field → Current referer sent when pressing shift-enter in location field
Whiteboard: [sg:nse]
Comment 5•20 years ago
|
||
This might explain why I get a lot of bogus referrers from Firefox UAs on my blog, although I don't understand why people would be saving my page...
Assignee | ||
Comment 6•20 years ago
|
||
this is entirely in frontend code, fixing component. taking, but I'll wait with fixing this until bug 160454 gets checked in, which is rewriting the involved code. see the unchecked usages of getReferrer in contentAreaUtils.js for the involved code. this could be called a regression, because for a while we sent no referrer...
Assignee: darin → cbiesinger
Component: Networking: HTTP → XP Apps: GUI Features
OS: Linux → All
Hardware: PC → All
Assignee | ||
Comment 7•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8alpha5
Assignee | ||
Updated•20 years ago
|
Attachment #163321 -
Flags: superreview?(bzbarsky)
Attachment #163321 -
Flags: review?(neil.parkwaycc.co.uk)
Comment 8•20 years ago
|
||
Comment on attachment 163321 [details] [diff] [review] patch so, why are you putting aReferrer before aChosenData when we're not actually using aChosenData yet?
Assignee | ||
Comment 9•20 years ago
|
||
neil: hm, no real reason. I can change it if you want (I'd prefer not to add a new patch just to switch the order of the two params, though)
Comment 10•20 years ago
|
||
Comment on attachment 163321 [details] [diff] [review] patch >+ var referrer = null; >+ if (aDocument.referrer) >+ referrer = makeURI(aDocument.referrer, aDocument.characterSet); >+ > if (aDocument) Need to null check aDocument more here. I noticed a couple of places where you could have used makeURI.
Comment 11•20 years ago
|
||
Comment on attachment 163321 [details] [diff] [review] patch Cancelling due to bitrot.
Attachment #163321 -
Flags: superreview?(bzbarsky)
Attachment #163321 -
Flags: review?(neil.parkwaycc.co.uk)
Updated•20 years ago
|
Product: Core → Mozilla Application Suite
Assignee | ||
Comment 12•20 years ago
|
||
(for my reference: bug 239472)
Assignee | ||
Updated•19 years ago
|
Priority: -- → P1
Assignee | ||
Comment 13•19 years ago
|
||
Attachment #163321 -
Attachment is obsolete: true
Attachment #181720 -
Flags: review?(neil.parkwaycc.co.uk)
Assignee | ||
Updated•19 years ago
|
Target Milestone: mozilla1.8alpha5 → Seamonkey1.0alpha
Comment 14•19 years ago
|
||
Comment on attachment 181720 [details] [diff] [review] updated patch What about the changes to pageInfo.js saveMedia() and contentAreaUtils.js getReferrer() [note that the old change looks inaccurate] and saveDocument() [which was also incorrect]? >+ saveURL(href, linkNode ? gatherTextUnder(linkNode) : "", >+ "SaveLinkTitle", false, getReferrer(document)); Sorry that I missed this in the previous review, but "false" is not documented as a legal value for aChosenData. I told you you should have put aReferrer first :-P
Assignee | ||
Comment 15•19 years ago
|
||
(In reply to comment #14) > (From update of attachment 181720 [details] [diff] [review] [edit]) > What about the changes to pageInfo.js saveMedia() and contentAreaUtils.js > getReferrer() [note that the old change looks inaccurate] and saveDocument() > [which was also incorrect]? pageInfo now does pass a referrer (bug 239472) contentAreaUtils.js - you mean the charset passing? how does it look incorrect? > Sorry that I missed this in the previous review, but "false" is not documented > as a legal value for aChosenData. I told you you should have put aReferrer > first :-P That's not untrue, but saveURL does not have an aChosenData argument? http://lxr.mozilla.org/seamonkey/source/xpfe/communicator/resources/content/contentAreaUtils.js#219
Comment 16•19 years ago
|
||
Comment on attachment 181720 [details] [diff] [review] updated patch OK, so you lost the getReferrer() charset change, but I don't think that was correct anyway. Note to self: do reviews during daylight hours!
Attachment #181720 -
Flags: review?(neil.parkwaycc.co.uk) → review+
Assignee | ||
Updated•19 years ago
|
Attachment #181720 -
Flags: superreview?(jag)
Updated•19 years ago
|
Attachment #181720 -
Flags: superreview?(jag) → superreview+
Assignee | ||
Comment 17•19 years ago
|
||
Comment on attachment 181720 [details] [diff] [review] updated patch fixes a privacy problem, only affects seamonkey
Attachment #181720 -
Flags: approval1.8b2?
Comment 18•19 years ago
|
||
Comment on attachment 181720 [details] [diff] [review] updated patch a=dveditz
Attachment #181720 -
Flags: approval1.8b2? → approval1.8b2+
Assignee | ||
Comment 19•19 years ago
|
||
Checking in xpfe/communicator/resources/content/contentAreaClick.js; /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaClick.js,v <-- contentAreaClick.js new revision: 1.44; previous revision: 1.43 done Checking in xpfe/communicator/resources/content/contentAreaUtils.js; /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaUtils.js,v <-- contentAreaUtils.js new revision: 1.129; previous revision: 1.128 done Checking in xpfe/communicator/resources/content/nsContextMenu.js; /cvsroot/mozilla/xpfe/communicator/resources/content/nsContextMenu.js,v <-- nsContextMenu.js new revision: 1.101; previous revision: 1.100 done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•