Closed Bug 76326 Opened 23 years ago Closed 14 years ago

Restrict which pages can see HTTP referrer

Categories

(Core :: Security: CAPS, enhancement, P1)

Product:
Core
Component:
Security: CAPS
Type:
enhancement

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
Future

People

(Reporter: markushuebner, Assigned: dveditz)

References

Details

http pages shouldn't be able to see file:/// referers, but file:/// pages 
should be able to see file or http referers
is there some sort of spec? belongs into dom 0 probably.
interesting, but i'm not sure the spec agrees.

how about CAPS settings which would allow the user to specify which transitions 
pass refererr and which do not
Assignee: asa → mstoltz
Component: Browser-General → Security: CAPS
QA Contact: doronr → ckritzer
RFC 2616, section 15.1.3:

  Clients SHOULD NOT include a Referer header field in a (non-secure)
  HTTP request if the referring page was transferred with a secure
  protocol.

I consider file:/// a secure protocol.

However, I cannot confirm this bug with 2001-04-15-20, Win NT. To test you can
make up a local document linking to http://clarence.de/utilities/http.cgi
(sorry, language is german, but you'll understand it).

Meta bug for HTTP Referer is bug 61660.


Interesting idea, I'll look into it. Yes, we could allow the security/privacy
policy to control who can see the referrer field.
Severity: normal → enhancement
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: document.referrer → [RFE]Restrict which pages can see HTTP referrer
For the second part of this bug:
- Pages retrieved via HTTP cannot access file: URLs. See bug 40538.
- There is no referrer for the file: protocol. We could emulate it for JS/DOM
  (4.x does so), but that would be a bug on its own (low priority, IMHO).
Severity: enhancement → normal
Summary: [RFE]Restrict which pages can see HTTP referrer → document.referrer
Severity: normal → enhancement
Summary: document.referrer → [RFE]Restrict which pages can see HTTP referrer
Target Milestone: --- → mozilla1.0
Target is now 0.9.5, Priority P1.
Priority: -- → P1
Target Milestone: mozilla1.0 → mozilla0.9.5
time marches on...retargeting to 0.9.6
Target Milestone: mozilla0.9.5 → mozilla0.9.6
Target Milestone: mozilla0.9.6 → mozilla1.0
Keywords: mozilla1.0
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1 
(you can query for this string to delete spam or retrieve the list of bugs I've 
moved)
Target Milestone: mozilla1.0 → mozilla1.0.1
I believe there's also a thing named "e-mail (from:)" which could supply your 
POP3 e-mail program's information to the site. Dunno if it's e-mail address, 
sender nick or which information. Anyway, as I see it, a restricting function 
for this would be even more urgent.
Keywords: mozilla0.9.9
Blocks: 61660
OS: Windows 2000 → All
Hardware: PC → All
Target Milestone: mozilla1.0.1 → Future
This bug has been around for quite a long time now - any chance to get this in 
soon?
Keywords: mozilla1.2
Summary: [RFE]Restrict which pages can see HTTP referrer → Restrict which pages can see HTTP referrer
Really think this one would need some attention now after such a long time
passing by.
Keywords: mozilla0.9.9, mozilla1.0, mozilla1.2
Assignee: security-bugs → dveditz
Status: ASSIGNED → NEW
QA Contact: ckritzer → caps
WFM, http: pages do not see file:/// referrers. This got fixed somewhere along the way in another bug.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.