358548 - xmlhttprequest is not allowed to modify the Referer header

Status: RESOLVED INVALID

(Core :: XML, defect)

Description

[kmac34567]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

If you change the referer using the setrequestheader, it does not correctly send the new updated referer, but rather the page the request was sent from. 

On the URL above, the referer that is sent should be http://google.com, but it is not.

Reproducible: Always

Steps to Reproduce:
1.Create a new xmlhttprequest 
2.Use setrequestheader to edit the referer


Actual Results:  
The normal referer is sent in the header.

Expected Results:  
The updated referer should've been sent.

Comment 1

[Jesse Ruderman]

You aren't allowed to spoof referrers because they're an important part of the security model.  Otoh, maybe it should be allowed since you're only spoofing it to the same site...

Comment 2

[Jesse Ruderman]

I think it makes the security model simpler if you're not allowed to spoof referers, and I don't see why you would want to be able to spoof them.

Comment 3

[Jesse Ruderman]

There was some discussion in bug 302263 about whether spoofing the Referer header for XMLHttpRequest should be allowed.

Comment 4

[kmac34567]

(In reply to comment #2)
> I think it makes the security model simpler if you're not allowed to spoof
> referers, and I don't see why you would want to be able to spoof them.
> 
For me, it is incredibly useful in building Greasemonkey scripts. 

That said, I don't see anyplace where the Firefox Team said they intentionally did this. And, considering it worked in 1.5, I assumed it was a bug. I still think it is.

Security wise, this can only be done on the same domain, so there is little to no security reason to do this.

Also, what is the purpose of the setrequestheader, if it does not have full access to the headers sent?

Comment 5

[Jesse Ruderman]

Oh, this is for a Greasemonkey script... hmm.  Can you do what you want using GM_xmlhttpRequest?  If not, maybe you could get a feature added to Greasemonkey allowing you to set the referrer header for GM_xmlhttpRequest.

Why did you move this from Core > XML to Firefox > General?

Comment 6

[kmac34567]

(In reply to comment #5)
> Oh, this is for a Greasemonkey script... hmm.  Can you do what you want using
> GM_xmlhttpRequest?  If not, maybe you could get a feature added to Greasemonkey
> allowing you to set the referrer header for GM_xmlhttpRequest.
Can one still do that? The Greasemonkey code appears to just use the same setrequestheader as normal web-pages do.


> Why did you move this from Core > XML to Firefox > General?

I wasn't aware that I had. Apologies, this is my first bug report, so if I did, I didn't intend to, and you can switch it to whatever you like.

Comment 7

[Dão Gottwald [:dao]]

http://www.w3.org/TR/XMLHttpRequest/#dfn-setrequestheader
So Firefox does the right thing.

Could be a Greasemonkey bug though.

Comment 8

[Jason Barnabe (np)]

XMLHttpRequests from chrome also have this restriction. Shouldn't it just apply to content XHRs, just like chrome XHRs have the ability to do cross-domain requests and content XHRs don't?

Comment 9

[Jason Barnabe (np)]

See bug 383178 for allowing it in chrome.