Closed
Bug 89995
Opened 24 years ago
Closed 24 years ago
WRMB: http referrer from https should be supplied when target is same secure server
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
psm2.1
People
(Reporter: ssaux, Assigned: ddrinan0264)
References
Details
(Keywords: topembed, Whiteboard: [ckritzer])
Attachments
(3 files)
1.61 KB,
patch
|
Details | Diff | Splinter Review | |
1.51 KB,
patch
|
Details | Diff | Splinter Review | |
490 bytes,
text/plain
|
Details |
see bug 82479. We made sure that we would not send the referrer from https to http but the implementation also removed the referrer in the case when the request is to the same encrypted server. This is unnecessary broad.
Reporter | ||
Comment 1•24 years ago
|
||
t->2.1
Reporter | ||
Updated•24 years ago
|
Priority: P2 → P1
Assignee | ||
Comment 3•24 years ago
|
||
Comment 4•24 years ago
|
||
ddrinan: you should really use SchemeIs in place of GetScheme/strcmp.
Comment 5•24 years ago
|
||
You should be using strcasecmp to compare the schemes and the hosts, since both of those are case insensitive, according to the appropriate RFCs.
Assignee | ||
Comment 7•24 years ago
|
||
Comment 8•24 years ago
|
||
r=bbaetz. The spec says (RFC2616, 15.1.3): " Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol." Should we check ports as well, or let it through anyway?
Comment 9•24 years ago
|
||
ddrinan, sr=darin provided you fix the indentation to make it consistent with the rest of nsHttpChannel.cpp (4 spaces of indentation).
Assignee | ||
Comment 11•24 years ago
|
||
Fix checked in.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 13•24 years ago
|
||
bbaetz has informed me that this bug is needed for the branch. Re-opening and adding keyword topembed.
Comment 14•24 years ago
|
||
sr=blizzard
Comment 15•24 years ago
|
||
this is a war room bug that we'ed like to get on the 0.9.2 branch
Summary: http referrer from https should be supplied when target is same secure server → WRMB: http referrer from https should be supplied when target is same secure server
Comment 16•24 years ago
|
||
Approved for check in to the branch by verbal comment from chofmann.
Assignee | ||
Comment 17•24 years ago
|
||
Checked into the 0.9.2 branch. Marking fixed.
Status: REOPENED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → FIXED
Comment 18•23 years ago
|
||
Did this re-break in 0.9.3? 0.9.3 on Linux (RH7.1), I'm very clearly not getting the referer (sic referrer) header when going from one https document to a linked https document on the same server.
Comment 19•23 years ago
|
||
Just to add a clarification... the problem I'm seeing is https->https, which is technically different than this bug. BUT... this worked properly in 0.9.1, so the patch for this bug may have had the unintended side effect of messing up https->https.
Assignee | ||
Comment 20•23 years ago
|
||
This fix did not make it in to 0.9.3. It's checked into the 0.9.2 branch and the trunk.
Updated•23 years ago
|
Whiteboard: [ckritzer]
Reporter | ||
Comment 21•23 years ago
|
||
Comment 22•23 years ago
|
||
*** Bug 93310 has been marked as a duplicate of this bug. ***
Comment 23•23 years ago
|
||
*** Bug 97303 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 24•23 years ago
|
||
*** Bug 100289 has been marked as a duplicate of this bug. ***
Comment 26•23 years ago
|
||
*** Bug 103838 has been marked as a duplicate of this bug. ***
Comment 27•23 years ago
|
||
*** Bug 96912 has been marked as a duplicate of this bug. ***
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•