Opened 14 years ago
Closed 14 years ago
#144 closed design (fixed)
Clarify when Referer is sent
Reported by: | mnot@… | Owned by: | |
---|---|---|---|
Priority: | Milestone: | unassigned | |
Component: | p2-semantics | Severity: | Active WG Document |
Keywords: | Cc: |
Description (last modified by mnot@…)
Current browser implementations often omit the Referer header, even when there is a URI available. From the source e-mail;
- The attacker hosts his HTML page over HTTPS and mounts a CSRF
attack against an HTTP URL.
- The attacker hosts his HTML page over FTP. Browsers don't send FTP
URLs in the Referer header.
- The attacker hosts his HTML page over GOPHER. Browsers don't send
GOPHER URLs in the Referer header
- The attacker hosts his HTML in a DATA URL. Browser don't send DATA
URLs in the Referer header.
- The attacker hosts his HTML in a frame whose URL is the empty string.
Referer's definition should be clarified to state that it (SHOULD|MUST) be sent for non-HTTP URIs. Additionally, it may be worth considering specifying a special value (e.g., "null") to be sent when there is no referer.
Attachments (1)
Change History (4)
comment:1 Changed 14 years ago by mnot@…
- Description modified (diff)
Changed 14 years ago by julian.reschke@…
comment:2 Changed 14 years ago by julian.reschke@…
comment:3 Changed 14 years ago by mnot@…
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
proposed change for part 2.