* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #144 (closed design: fixed)

Opened 5 years ago

Last modified 5 years ago

Clarify when Referer is sent

Reported by: mnot@pobox.com Owned by:
Priority: Milestone: unassigned
Component: p2-semantics Severity: Active WG Document
Keywords: Cc:
Origin: http://www.w3.org/mid/7789133a0901300956r3ee7850ds9a11fbe2cce33dcb@mail.gmail.com

Description (last modified by mnot@pobox.com) (diff)

Current browser implementations often omit the Referer header, even when there is a URI available. From the source e-mail;

  1. The attacker hosts his HTML page over HTTPS and mounts a CSRF

attack against an HTTP URL.

  1. The attacker hosts his HTML page over FTP. Browsers don't send FTP

URLs in the Referer header.

  1. The attacker hosts his HTML page over GOPHER. Browsers don't send

GOPHER URLs in the Referer header

  1. The attacker hosts his HTML in a DATA URL. Browser don't send DATA

URLs in the Referer header.

  1. The attacker hosts his HTML in a frame whose URL is the empty string.

Referer's definition should be clarified to state that it (SHOULD|MUST) be sent for non-HTTP URIs. Additionally, it may be worth considering specifying a special value (e.g., "null") to be sent when there is no referer.

Attachments

144.diff (12.7 KB) - added by julian.reschke@gmx.de 5 years ago.
proposed change for part 2.

Change History

comment:1 Changed 5 years ago by mnot@pobox.com

  • Description modified (diff)

Changed 5 years ago by julian.reschke@gmx.de

proposed change for part 2.

comment:2 Changed 5 years ago by julian.reschke@gmx.de

From [593]:

Allow Referer value of "about:blank" as alternative to not specifying it (related to #144)

comment:3 Changed 5 years ago by mnot@pobox.com

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.