Closed Bug 82479 Opened 24 years ago Closed 23 years ago

HTTP Referer: for SSL page should not be sent to insecure page

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
All
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.0

People

(Reporter: thayes0993, Assigned: javi)

References

(
URL
)

Details

(Whiteboard: PDT+; critical for 0.9.2; checked in; needs verification)

Attachments

(2 files)

Part of log of http server showing https referrer get data.
373 bytes, text/plain
Details
patch that doesn't set referrer if it's an https field.
618 bytes, patch
Details | Diff | Splinter Review
We need to verify that the HTTP protocol engine does NOT send a Referer: field for HTTP requests that are initiated by links on secure pages, but which refer to insecure servers. This restriction was implemented in N4.X to prevent session ids and other similar information from being transmitted to the insecure site (over unencrypted channels) in the Referer field.
Makes sense to me. Is there any RFC that says this, just in case people complain after we do this? +qawanted, b/c someone should set up a test page to verify this when it gets done.
Keywords: qawanted
I made a testcase here: https://atari.saturn5.com/~jwb/referer-test.html Mozilla 2001-05-28-08 Linux trunk fails the test.
URL: https://atari.saturn5.com/~jwb/refere...
Severity: normal → major
OS: Windows NT → All
Of course you can also verify this using a network packet analyzer like ethereal or tcpdump.
I added a second test which Mozilla also fails. Is there a client security keyword?
Bob: Anything need to be done to this bug to make sure the right security people see it?
I hope nobody minds that I am reassigning this to security: crypto.
Assignee: neeti → ddrinan
Component: Networking: HTTP → Security: Crypto
QA Contact: benc → junruh
Moving from Browser/Security:Crypto to PSM 2.0.
Component: Security: Crypto → Client Library
Product: Browser → PSM
Target Milestone: --- → 2.0
Version: other → 2.0
p1
Priority: -- → P1
internal test case: http://beaver.netscape.com add something to the cart. from the cart display, click on one of the navigation tabs, which use http:// The browser will send the https: referrer with all the data from the get that produced the cart display.
PDT for PSM
Whiteboard: PDT
PDT+ as per Steve Elmeer 6/20/2001
Whiteboard: PDT → PDT+
Adding dougt to the CC list, I believe he is helping with this one? Any eta?
Whiteboard: PDT+ → PDT+; need eta
Whiteboard: PDT+; need eta → PDT+; eta 6/22
Re-assiging to Javi.
Assignee: ddrinan → javi
r/sr=darin
Whiteboard: PDT+; eta 6/22 → PDT+; eta 6/22; have patch
a=chofmann
Patch checked in.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Whiteboard: PDT+; eta 6/22; have patch → PDT+; eta 6/22; have patch; critical for 0.9.2
whiteboard: checked in; needs verification.
Whiteboard: PDT+; eta 6/22; have patch; critical for 0.9.2 → PDT+; eta 6/22; critical for 0.9.2; checked in; needs verification
Marking verified. The 6/22 build passes Jaffrey Baker's test https://atari.saturn5.com/~jwb/referer-test.html
Status: RESOLVED → VERIFIED
Whiteboard: PDT+; eta 6/22; critical for 0.9.2; checked in; needs verification → PDT+; eta 6/22; critical for 0.9.2; checked in
whiteboard->needs verification
Whiteboard: PDT+; eta 6/22; critical for 0.9.2; checked in → PDT+; critical for 0.9.2; checked in; needs verification
Keywords: qawanted
The fix goes to far: now, 'Referer:' is stripped for all urls with https schemes, even when retieving another secure page from the same server. For example if you go to <https://www.lanfear.net/~mark/> and activate the "foo.pl" link which goes to <https://www.lanfear.net/~mark/foo.pl> HTTP_REFERER is no longer set. Both Netscape Communicator 4.76 and Mozilla 0.9.1 send the 'Referer:' header in this case. It seems as though 'Referer:' should at least be present when retrieving another secure document on the same server. My non-expert opinion is that 'Referer' should always be present. It is the burden of the authors of the page to not put links on their secure pages to unsecure documents when sensitive information is part of the url. Either make the information part of a POST rather than a GET (which makes bookmarking the page impossible, so this option isn't optimal), use cookies to set and get the sensitive information, or simply have the links on the page that would expose sensitive information point to a bouncer URL that strips that info off before redirecting. Thus, I suggest that this change be removed, or change Mozilla so that going from secure document to secure document on the same host keeps the 'Referer:' intact. (The latter would fix the problem I am having.) Looking at the patch attached to this bug that seems as though the latter option would require major work since it looks like 'Referer:' is turned on an off on a per-scheme basis only with no finer grain of control.
Mark: I think your point makes good sense, are there sites that depend on this or standards that reference this situation? I'm not programmer, but wouldn't the proper methodology be to simply someone check to see if the referer URL starts w/ "https://" and then set it to NULL? It sounds like we should have a null check for sending "Refer: <NULL>" to remove the line, so that would clean things up on the fly.
There are many reasons why web page designers want to refer to unsecure servers from a secure page. 1) because https is more expensive, e-commerce site only use https for sensitive operations. The resulting page will have links back to non-sensitive area of the site such as browsing the catalog, and the link will have http:// hardcoded to maximize the use of a cheaper resource. 2) because many site sign contract for advertising requiring that an http:// link be present on the result of a GET form submission using their own https server. It's presumptuous to ask them to jump through hoops to ensure that the form submission data not be passed to their partner. Nevertheless there is no reason to not include the referrer when the link is to the same encrypted server. Moreover, an argument can be made that even when the target is not using encryption, then some part of the referrer should be available (maybe everything before a "?"). Surely, much less sensitive information is encoded into the part before the "?" than in the GET name/value pairs.
Whoa there :) Don't make too many assumptions. Many sites use a critical session ID in the URL, not in the query string or cookies. Commonly, these look like https://somesite.com/deadbeef/path?query, or https://somesite.com/path/deadbeef?query. The existing behavior is the most desirable from the site operator's standpoint: no referer header should ever be sent from an https site to an http site, even if the the hostname is the same. Also of course it is very desirable to have referer headers within a secure site, so this fix is broken.
ok, the argument can be made, but it's lousy. I agree that the best implementation should be as the previous poster. Note that on 4.7X https => http on the same server sends the referrer. So this would be more restrictive (and more secure). I'm opening a new bug (this one is fixed, we don't send referrer to http).
Opened bug 89995
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: