![(please configure the [header_logo] section in trac.ini)](https://www.ietf.org/images/ietflogotrans.gif)
Changes between Initial Version and Version 1 of Ticket #144
- Timestamp:
- 30/01/09 22:53:04 (14 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #144 – Description
initial v1 1 1 Current browser implementations often omit the Referer header, even when there is a URI available. From the source e-mail; 2 2 3 1)The attacker hosts his HTML page over HTTPS and mounts a CSRF3 1. The attacker hosts his HTML page over HTTPS and mounts a CSRF 4 4 attack against an HTTP URL. 5 2)The attacker hosts his HTML page over FTP. Browsers don't send FTP5 2. The attacker hosts his HTML page over FTP. Browsers don't send FTP 6 6 URLs in the Referer header. 7 3)The attacker hosts his HTML page over GOPHER. Browsers don't send7 3. The attacker hosts his HTML page over GOPHER. Browsers don't send 8 8 GOPHER URLs in the Referer header 9 4)The attacker hosts his HTML in a DATA URL. Browser don't send DATA9 4. The attacker hosts his HTML in a DATA URL. Browser don't send DATA 10 10 URLs in the Referer header. 11 5)The attacker hosts his HTML in a frame whose URL is the empty string.11 5. The attacker hosts his HTML in a frame whose URL is the empty string. 12 12 13 13 Referer's definition should be clarified to state that it (SHOULD|MUST) be sent for non-HTTP URIs. Additionally, it may be worth considering specifying a special value (e.g., "null") to be sent when there is no referer.
