WRMB: http referrer from https should be supplied when target is same secure server

VERIFIED FIXED in psm2.1

Status

defect
P1
normal
VERIFIED FIXED
18 years ago
3 years ago

People

(Reporter: ssaux, Assigned: ddrinan0264)

Tracking

({topembed})

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ckritzer])

Attachments

(3 attachments)

Reporter

Description

18 years ago
see bug 82479. We made sure that we would not send the referrer from https to
http but the implementation also removed the referrer in the case when the
request is to the same encrypted server. This is unnecessary broad.
Reporter

Comment 1

18 years ago
t->2.1
Keywords: nsenterprise
Priority: -- → P2
Target Milestone: --- → 2.1
Reporter

Comment 2

18 years ago
*** Bug 89243 has been marked as a duplicate of this bug. ***
Reporter

Updated

18 years ago
Priority: P2 → P1
Assignee

Comment 3

18 years ago

Comment 4

18 years ago
ddrinan:

you should really use SchemeIs in place of GetScheme/strcmp.
You should be using strcasecmp to compare the schemes and the hosts, since both
of those are case insensitive, according to the appropriate RFCs.
Reporter

Comment 6

18 years ago
adding patch keyword.
Keywords: patch
Assignee

Comment 7

18 years ago
r=bbaetz. The spec says (RFC2616, 15.1.3):

"  Clients SHOULD NOT include a Referer header field in a (non-secure)
   HTTP request if the referring page was transferred with a secure
   protocol."

Should we check ports as well, or let it through anyway?

Comment 9

18 years ago
ddrinan, sr=darin provided you fix the indentation to make it consistent with the
rest of nsHttpChannel.cpp (4 spaces of indentation).

Comment 10

18 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Assignee

Comment 11

18 years ago
Fix checked in.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED
Reporter

Comment 12

18 years ago
keywords->verifyme
Keywords: patchverifyme
Assignee

Comment 13

18 years ago
bbaetz has informed me that this bug is needed for the branch. Re-opening and 
adding keyword topembed.
Status: RESOLVED → REOPENED
Keywords: topembed
Resolution: FIXED → ---
sr=blizzard

Comment 15

18 years ago
this is a war room bug that we'ed like to get on the 0.9.2 branch
Summary: http referrer from https should be supplied when target is same secure server → WRMB: http referrer from https should be supplied when target is same secure server

Comment 16

18 years ago
Approved for check in to the branch by verbal comment from chofmann.
Assignee

Comment 17

18 years ago
Checked into the 0.9.2 branch. Marking fixed.
Status: REOPENED → RESOLVED
Last Resolved: 18 years ago18 years ago
Resolution: --- → FIXED

Updated

18 years ago
Blocks: 87417

Comment 18

18 years ago
Did this re-break in 0.9.3? 0.9.3 on Linux (RH7.1), I'm very clearly not getting
the referer (sic referrer) header when going from one https document to a linked
https document on the same server.

Comment 19

18 years ago
Just to add a clarification... the problem I'm seeing is https->https, which is
technically different than this bug. BUT... this worked properly in 0.9.1, so
the patch for this bug may have had the unintended side effect of messing up
https->https.
Assignee

Comment 20

18 years ago
This fix did not make it in to 0.9.3. It's checked into the 0.9.2 branch and 
the trunk.

Updated

18 years ago
Whiteboard: [ckritzer]
*** Bug 93310 has been marked as a duplicate of this bug. ***
*** Bug 97303 has been marked as a duplicate of this bug. ***
Reporter

Comment 24

18 years ago
*** Bug 100289 has been marked as a duplicate of this bug. ***

Comment 25

18 years ago
Verified fixed.
Status: RESOLVED → VERIFIED
QA Contact: ckritzer → junruh
*** Bug 103838 has been marked as a duplicate of this bug. ***

Comment 27

18 years ago
*** Bug 96912 has been marked as a duplicate of this bug. ***

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

11 years ago
Version: psm2.0 → 1.0 Branch
Keywords: verifyme
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.