Closed Bug 56977 Opened 24 years ago Closed 23 years ago

When using https the http_referrer is not used correclty

Categories

(Core :: Networking: HTTP, defect, P1)

x86
Windows NT
defect

Tracking

()

VERIFIED INVALID
mozilla0.9.4

People

(Reporter: philipp.von-dahl, Assigned: darin.moz)

References

()

Details

From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20001010 BuildID: 2000091312 Inside the commerzbank online banking application the http_referrer is used for security reasons. The error messages I get when using mozilla m18 indicate that the http_referrer is not used correctly when using https. It works when using http but not https. No such errors with mozilla m17, but also with Netscape PR3 on Linux. Reproducible: Always Steps to Reproduce: Sorry I can't give you any instructions here but you would need an account at commerzbank (Germany). Actual Results: I'm getting the Error message our application gives when someont tries to "jump into the application from outside" that means the application does not get the http_referrer it expects. Expected Results: Display the next page For further questions mail: philipp.von-dahl@commerzbank.com
Confirming for triage by gagan. Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Reporter: can you please verify this bug against the official netscape 6.0 release? thanks!
Yes, same behaviour with the official Netscape 6. However, further testing revealed, that the problem is not using https but frames (with http and https). When using frames, the HTTP_REFERER is used for the page containing the frameset, but no HTTP_REFERER is given for the frames itself.
Blocks: 61660
Blocks: 61687
http bugs to "Networking::HTTP"
Assignee: gagan → darin
Component: Networking → Networking: HTTP
Target Milestone: --- → M19
I think we're seeing this bug also, but I can't tell you what site (yet) because its not launched. However netscape 6 does seem to be leaving the referer null when switching http->https. Ask me again in mid February if you need to know which site.
The Problem seems to be solved when using the nightly build from 9th February 2001 (Windows).
Resolving as FIXED, please reopen if bug returns.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1 Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3) Gecko/20010801 Referer Not Sent From HTTPS:// HTTP:// -> HTTPS:// Pass HTTP:// -> HTTP:// Pass HTTPS:// -> HTTP:// Fail HTTPS:// -> HTTPS:// Fail
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Can you clarify what that chart means? I'm assuming you mean getting a (http or https) URL from a (http or https) URL. Do you mean PASS = send the header, or PASS = tested correctly?
Sorry, To clarify From To http_referer Sent -------- -------- ----------------- HTTP:// -> HTTPS:// Yes HTTP:// -> HTTP:// Yes HTTPS:// -> HTTP:// No HTTPS:// -> HTTPS:// No Where "From" is the Protocol used to request the initial page and "To" is the Protocol used to request the linked page.
Status: REOPENED → ASSIGNED
Priority: P3 → P1
Target Milestone: --- → mozilla0.9.4
the spec says that for HTTPS->HTTP, the referrer should not be sent. but from HTTPS->HTTPS it does not make any restrictions, so we should fix only this case.
after discussing this with some of the security folks, i think i agree with our current HTTPS referrer behavior. so, i'm closing this bug out as INVALID.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago23 years ago
Resolution: --- → INVALID
Darin, could you please elaborate a bit further why you think a referer shouldn't be sent when using https? Regards Philipp
I am also confused about this decsision, especially since this bug is produced when going from one page to the next on the same box (during the same "secure session" as it were). This is especially troubling since every other browser does this. I am of the understanding that while there may be no explicit requirement to send a referer under these circumstances, there is no explicit requirement NOT to either. From searching through the other HTTP_REFERER related bugs I have deduced that this lack of behavior will undoubtably break validation code in several Financail, banking and *ahem* "Adult" sites. Not Good.
a HTTPS referrer will be sent to the same site, but not when switching sites.
If you go to this page: https://www.protusfax.com/protus/test/test_ref1.asp There will be the page referer (if any) pulled out via ASP, and a relative link to test_ref2.asp in the same directory. test_ref2.asp & test_ref1.asp are exactly the same, except that their links po9int to the other page. In Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3) Gecko/20010801 (release 0.93) the referer is never sent. Just so that there's no confusion, here is the back end ASP code: [----CODE------] <html> <head> </head> <body> <%Response.Write "Referer=" & Request.ServerVariables("HTTP_REFERER")%><br> <br> <a href="test_ref1.asp">HTTPS:// -> HTTPS:// (same box - relative link)</a> </body> </html> [----CODE------] This bug should be reopened.
if you try testing a more recent nightly build, you'll notice that the bug you describe has been fixed. it was not fixed in mozilla 0.9.3.
Yep, the https->https case was fixed in bug 89995.
Verified fixed.
Status: RESOLVED → VERIFIED
QA Contact: tever → junruh
You need to log in before you can comment on or make changes to this bug.