WRMB: http referrer from https should be supplied when target is same secure server

VERIFIED FIXED in psm2.1

Status

Core Graveyard
Security: UI
P1
normal
VERIFIED FIXED
16 years ago
8 months ago

People

(Reporter: Stephane Saux, Assigned: David P. Drinan)

Tracking

({topembed})

1.0 Branch
psm2.1
topembed

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ckritzer])

Attachments

(3 attachments)

(Reporter)

Description

16 years ago
see bug 82479. We made sure that we would not send the referrer from https to
http but the implementation also removed the referrer in the case when the
request is to the same encrypted server. This is unnecessary broad.
(Reporter)

Comment 1

16 years ago
t->2.1
Keywords: nsenterprise
Priority: -- → P2
Target Milestone: --- → 2.1
(Reporter)

Comment 2

16 years ago
*** Bug 89243 has been marked as a duplicate of this bug. ***
(Reporter)

Updated

16 years ago
Priority: P2 → P1
(Assignee)

Comment 3

16 years ago
Created attachment 43728 [details] [diff] [review]
Patch for review.

Comment 4

16 years ago
ddrinan:

you should really use SchemeIs in place of GetScheme/strcmp.
You should be using strcasecmp to compare the schemes and the hosts, since both
of those are case insensitive, according to the appropriate RFCs.
(Reporter)

Comment 6

16 years ago
adding patch keyword.
Keywords: patch
(Assignee)

Comment 7

16 years ago
Created attachment 44133 [details] [diff] [review]
Updated patch.
r=bbaetz. The spec says (RFC2616, 15.1.3):

"  Clients SHOULD NOT include a Referer header field in a (non-secure)
   HTTP request if the referring page was transferred with a secure
   protocol."

Should we check ports as well, or let it through anyway?

Comment 9

16 years ago
ddrinan, sr=darin provided you fix the indentation to make it consistent with the
rest of nsHttpChannel.cpp (4 spaces of indentation).

Comment 10

16 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
(Assignee)

Comment 11

16 years ago
Fix checked in.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
(Reporter)

Comment 12

16 years ago
keywords->verifyme
Keywords: patch → verifyme
(Assignee)

Comment 13

16 years ago
bbaetz has informed me that this bug is needed for the branch. Re-opening and 
adding keyword topembed.
Status: RESOLVED → REOPENED
Keywords: topembed
Resolution: FIXED → ---
sr=blizzard

Comment 15

16 years ago
this is a war room bug that we'ed like to get on the 0.9.2 branch
Summary: http referrer from https should be supplied when target is same secure server → WRMB: http referrer from https should be supplied when target is same secure server

Comment 16

16 years ago
Approved for check in to the branch by verbal comment from chofmann.
(Assignee)

Comment 17

16 years ago
Checked into the 0.9.2 branch. Marking fixed.
Status: REOPENED → RESOLVED
Last Resolved: 16 years ago16 years ago
Resolution: --- → FIXED

Updated

16 years ago
Blocks: 87417

Comment 18

16 years ago
Did this re-break in 0.9.3? 0.9.3 on Linux (RH7.1), I'm very clearly not getting
the referer (sic referrer) header when going from one https document to a linked
https document on the same server.

Comment 19

16 years ago
Just to add a clarification... the problem I'm seeing is https->https, which is
technically different than this bug. BUT... this worked properly in 0.9.1, so
the patch for this bug may have had the unintended side effect of messing up
https->https.
(Assignee)

Comment 20

16 years ago
This fix did not make it in to 0.9.3. It's checked into the 0.9.2 branch and 
the trunk.

Updated

16 years ago
Whiteboard: [ckritzer]
(Reporter)

Comment 21

16 years ago
Created attachment 46189 [details]
log file from https server showing referrer from same server
*** Bug 93310 has been marked as a duplicate of this bug. ***
*** Bug 97303 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 24

16 years ago
*** Bug 100289 has been marked as a duplicate of this bug. ***

Comment 25

16 years ago
Verified fixed.
Status: RESOLVED → VERIFIED
QA Contact: ckritzer → junruh
*** Bug 103838 has been marked as a duplicate of this bug. ***

Comment 27

16 years ago
*** Bug 96912 has been marked as a duplicate of this bug. ***

Updated

12 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

9 years ago
Version: psm2.0 → 1.0 Branch

Updated

9 years ago
Keywords: verifyme
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.