Closed Bug 263216 Opened 21 years ago Closed 21 years ago

links opened into new tab from ChatZilla pass the URL of the current tab as the http Referer

Categories

(Firefox :: Tabbed Browser, defect, P4)

Product:
Firefox
Component:
Tabbed Browser
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox1.5

People

(Reporter: rdmsoft, Assigned: Gavin)

References

Details

(Keywords: privacy, Whiteboard: [sg:fix] cz-patch)

Attachments

(2 files, 4 obsolete files)

Patch for chatzilla (Checked in)
1.00 KB, patch
bugzilla-mozilla-20000923
: review+
Details | Diff | Splinter Review
Patch v4 (checked in)
2.89 KB, patch
mconnor
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-gb; rv:1.7.3) Gecko/20041002 Firefox/0.10 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-gb; rv:1.7.3) Gecko/20041002 Firefox/0.10 Chatzilla 0.9.65 [Mozilla rv:1.7.3/20041002] When I click a link in ChatZilla, the Referer: header passed to the new page includes the URL of my active tab. Reproducible: Always Steps to Reproduce: 1. Open a page, for example, http://www.mozilla.org/ . 2. Leaving that page as the current tab, open ChatZilla. 3. Say "http://rdmsoft.com/bugs/showreferrer.php" in a channel and click the link. Actual Results: The php page (<?php echo $_SERVER['HTTP_REFERER']; ?>) is able to see the address of the tab that was active when you clicked the link in ChatZilla. Expected Results: No referrer information should be passed, the script on my server shouldn't know what was on your active tab.
However I open the URL, it works here (i.e. it's entirely blank). It would most likely be a Mozilla bug anyway, should the referrer be leaking.
I see this also, firefox 1.0+ and cz 0.9.66 Reproduced using this text in chatzilla. "click this link http://slashdot.org/favicon.ico then this link bug 268629 makes bz say Ook!" Even the first link has the referrer of the firefox start page (google.com/firefox). The LiveHttpHeaders extension says: http://slashdot.org/favicon.ico GET /favicon.ico HTTP/1.1 Host: slashdot.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official If-Modified-Since: Thu, 04 Nov 2004 15:47:00 GMT If-None-Match: "1f81e5-13e-418a4ef4" Cache-Control: max-age=0 HTTP/1.x 304 Not Modified Date: Tue, 09 Nov 2004 19:00:41 GMT Server: Apache/1.3.29 (Unix) mod_gzip/1.3.26.1a mod_perl/1.29 Connection: close Etag: "1f81e5-13e-418a4ef4" ---------------------------------------------------------- https://bugzilla.mozilla.org/show_bug.cgi?id=268629 GET /show_bug.cgi?id=268629 HTTP/1.1 Host: bugzilla.mozilla.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041109 Firefox/1.0 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://slashdot.org/favicon.ico HTTP/1.x 302 Found Date: Tue, 09 Nov 2004 19:00:30 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 Location: https://bugzilla.mozilla.org/slashdot/index.html?id=268629 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 ----------------------------------------------------------
confirmed linux fx 1.0 + cz 0.9.66 This only happens when opening into a new tab; open in same tab and open in new window are not affected. cf bug 258185
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Summary: links from ChatZilla pass the URL of the current tab as the http referrer → links opened into new tab from ChatZilla pass the URL of the current tab as the http Referer
This is not a ChatZilla bug, it's a Firefox bug. Firefox's openNewTabWith function does not give any options on referrer - it always sends it. In Mozilla, the function gives us the choice - and ChatZilla says "no thanks" to the referrer. Compare http://lxr.mozilla.org/mozilla/source/xpfe/communicator/resources/content/contentAreaUtils.js#118 to http://lxr.mozilla.org/mozilla/source/browser/base/content/contentAreaUtils.js#6 However, I don't know what to do with this bug... I really really object to the idea of copying and re-writing the code in openNewTabWith to ChatZilla, as that breaks the whole encaptulation thing. I'm actually leaning on WONTFIX for this, as there's nothing sensible ChatZilla can do about this Firefox bug that I can see/find.
-> Firefox.
Assignee: rginda → bugs
Component: ChatZilla → Tabbed Browser
Product: Browser → Firefox
QA Contact: samuel → firefox.tabbed-browser
Hardware: PC → All
*** Bug 273033 has been marked as a duplicate of this bug. ***
*** Bug 284843 has been marked as a duplicate of this bug. ***
This is only a problem with Chatzilla's use of the internal openNewTabWith function, right? In that case, lets just add the parameter for whether or not to send referer data like Seamonkey, and have Chatzilla use it correctly.
Assignee: bugs → gavin.sharp
Attached patch Patch (obsolete) — Splinter Review
Like this?
Attached patch Patch for chatzilla (obsolete) — Splinter Review
And for Chatzilla...
Attachment #176526 - Flags: review?(mconnor)
It is not exactly an /internal/ function, but yes, the problem is simply its lack of override on the referrer.
Comment on attachment 176527 [details] [diff] [review] Patch for chatzilla >Index: extensions/irc/xul/content/commands.js > if (client.host == "Mozilla") { >- window.openNewTabWith(e.url, false, false); >+ window.openNewTabWith(e.url, false, false, null, null, false); Why did you change this? Mozilla's version of the function is this: openNewTabWith(url, sendReferrer, reverseBackgroundPref)
(In reply to comment #11) > It is not exactly an /internal/ function Right, internal was a bad word to use. And after looking at it more, I assume that the first hunk of the Chatzilla patch isn't necessary.
Attachment #176527 - Attachment is obsolete: true
Thanks for pointing that out, James.
Comment on attachment 176529 [details] [diff] [review] Patch for chatzilla (Checked in) r=silver@warwickcompsoc.co.uk Looks good to me, just need the Firefox half in.
Attachment #176529 - Flags: review+
Attachment #176526 - Attachment is obsolete: true
Attachment #176526 - Flags: review?(mconnor)
Attached patch Patch v2 (obsolete) — Splinter Review
Modified patch per comments from mconnor.
Attachment #176530 - Flags: review?(mconnor)
Comment on attachment 176529 [details] [diff] [review] Patch for chatzilla (Checked in) The argument needs to be true now, not false.
Attachment #176529 - Attachment is obsolete: true
Attached patch Patch v3 (obsolete) — Splinter Review
Attachment #176530 - Attachment is obsolete: true
Attachment #176532 - Flags: review?(mconnor)
Attachment #176529 - Attachment is obsolete: false
Attachment #176530 - Flags: review?(mconnor)
Attachment #176532 - Attachment is obsolete: true
Attachment #176532 - Flags: review?(mconnor)
The last patch should use "document", not "doc", but otherwise should work. 4 broken patches in 1.5 hours might be my record.
Status: NEW → ASSIGNED
Priority: -- → P4
Target Milestone: --- → Firefox1.1
Attachment #176657 - Flags: review?(mconnor)
Keywords: privacy
Whiteboard: [sg:fix]
Whiteboard: [sg:fix] → [patch-r?] [sg:fix]
Attachment #176657 - Flags: review?(mconnor) → review+
Whiteboard: [patch-r?] [sg:fix] → [checkin needed] [sg:fix]
I checked in the Firefox part: Checking in contentAreaUtils.js; /cvsroot/mozilla/browser/base/content/contentAreaUtils.js,v <-- contentAreaUtils.js new revision: 1.65; previous revision: 1.64 done please close as fixed if the chatzilla part is in.
Attachment #176657 - Attachment description: Patch v2394 → Patch v4 (checked in)
Whiteboard: [checkin needed] [sg:fix] → [checkin needed] [sg:fix] cz-patch
Comment on attachment 176529 [details] [diff] [review] Patch for chatzilla (Checked in) Checking in commands.js; /cvsroot/mozilla/extensions/irc/xul/content/commands.js,v <-- commands.js new revision: 1.60; previous revision: 1.59 done
Attachment #176529 - Attachment description: Patch for chatzilla → Patch for chatzilla (Checked in)
Marking fixed, can someone verify?
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: [checkin needed] [sg:fix] cz-patch → [sg:fix] cz-patch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: