Opened 11 years ago

Closed 10 years ago

#144 closed design (fixed)

Clarify when Referer is sent

Reported by: mnot@… Owned by:
Priority: Milestone: unassigned
Component: p2-semantics Severity: Active WG Document
Keywords: Cc:

Description (last modified by mnot@…)

Current browser implementations often omit the Referer header, even when there is a URI available. From the source e-mail;

  1. The attacker hosts his HTML page over HTTPS and mounts a CSRF

attack against an HTTP URL.

  1. The attacker hosts his HTML page over FTP. Browsers don't send FTP

URLs in the Referer header.

  1. The attacker hosts his HTML page over GOPHER. Browsers don't send

GOPHER URLs in the Referer header

  1. The attacker hosts his HTML in a DATA URL. Browser don't send DATA

URLs in the Referer header.

  1. The attacker hosts his HTML in a frame whose URL is the empty string.

Referer's definition should be clarified to state that it (SHOULD|MUST) be sent for non-HTTP URIs. Additionally, it may be worth considering specifying a special value (e.g., "null") to be sent when there is no referer.

Attachments (1)

144.diff (12.7 KB) - added by julian.reschke@… 10 years ago.
proposed change for part 2.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 11 years ago by mnot@…

  • Description modified (diff)

Changed 10 years ago by julian.reschke@…

proposed change for part 2.

comment:2 Changed 10 years ago by julian.reschke@…

From [593]:

Allow Referer value of "about:blank" as alternative to not specifying it (related to #144)

comment:3 Changed 10 years ago by mnot@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.