Closed
Bug 56977
Opened 24 years ago
Closed 23 years ago
When using https the http_referrer is not used correclty
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
VERIFIED
INVALID
mozilla0.9.4
People
(Reporter: philipp.von-dahl, Assigned: darin.moz)
References
()
Details
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20001010
BuildID: 2000091312
Inside the commerzbank online banking application the http_referrer is used for
security reasons. The error messages I get when using mozilla m18 indicate that
the http_referrer is not used correctly when using https. It works when using
http but not https. No such errors with mozilla m17, but also with Netscape PR3
on Linux.
Reproducible: Always
Steps to Reproduce:
Sorry I can't give you any instructions here but you would need an account at
commerzbank (Germany).
Actual Results: I'm getting the Error message our application gives when
someont tries to "jump into the application from outside" that means the
application does not get the http_referrer it expects.
Expected Results: Display the next page
For further questions mail: philipp.von-dahl@commerzbank.com
Comment 1•24 years ago
|
||
Confirming for triage by gagan.
Gerv
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 2•24 years ago
|
||
Reporter: can you please verify this bug against the official netscape 6.0
release? thanks!
Reporter | ||
Comment 3•24 years ago
|
||
Yes, same behaviour with the official Netscape 6.
However, further testing revealed, that the problem is not
using https but frames (with http and https).
When using frames, the HTTP_REFERER is used for the page
containing the frameset, but no HTTP_REFERER is given for
the frames itself.
http bugs to "Networking::HTTP"
Assignee: gagan → darin
Component: Networking → Networking: HTTP
Target Milestone: --- → M19
Comment 5•24 years ago
|
||
I think we're seeing this bug also, but I can't tell you what site (yet) because
its not launched. However netscape 6 does seem to be leaving the referer null
when switching http->https.
Ask me again in mid February if you need to know which site.
Reporter | ||
Comment 6•24 years ago
|
||
The Problem seems to be solved when using the nightly build from
9th February 2001 (Windows).
Assignee | ||
Comment 7•24 years ago
|
||
Resolving as FIXED, please reopen if bug returns.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 8•23 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726
Netscape6/6.1
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3) Gecko/20010801
Referer Not Sent From HTTPS://
HTTP:// -> HTTPS:// Pass
HTTP:// -> HTTP:// Pass
HTTPS:// -> HTTP:// Fail
HTTPS:// -> HTTPS:// Fail
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Can you clarify what that chart means?
I'm assuming you mean
getting a (http or https) URL from a (http or https) URL.
Do you mean PASS = send the header, or PASS = tested correctly?
Comment 10•23 years ago
|
||
Sorry,
To clarify
From To http_referer Sent
-------- -------- -----------------
HTTP:// -> HTTPS:// Yes
HTTP:// -> HTTP:// Yes
HTTPS:// -> HTTP:// No
HTTPS:// -> HTTPS:// No
Where "From" is the Protocol used to request the initial page
and "To" is the Protocol used to request the linked page.
Assignee | ||
Updated•23 years ago
|
Status: REOPENED → ASSIGNED
Priority: P3 → P1
Target Milestone: --- → mozilla0.9.4
Assignee | ||
Comment 11•23 years ago
|
||
the spec says that for HTTPS->HTTP, the referrer should not be sent.
but from HTTPS->HTTPS it does not make any restrictions, so we should fix only
this case.
Assignee | ||
Comment 12•23 years ago
|
||
after discussing this with some of the security folks, i think i agree with our
current HTTPS referrer behavior. so, i'm closing this bug out as INVALID.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 23 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 13•23 years ago
|
||
Darin,
could you please elaborate a bit further why you think a referer
shouldn't be sent when using https?
Regards
Philipp
Comment 14•23 years ago
|
||
I am also confused about this decsision, especially since this bug is produced
when going from one page to the next on the same box (during the same "secure
session" as it were).
This is especially troubling since every other browser does this. I am of the
understanding that while there may be no explicit requirement to send a referer
under these circumstances, there is no explicit requirement NOT to either.
From searching through the other HTTP_REFERER related bugs I have deduced that
this lack of behavior will undoubtably break validation code in several
Financail, banking and *ahem* "Adult" sites.
Not Good.
Assignee | ||
Comment 15•23 years ago
|
||
a HTTPS referrer will be sent to the same site, but not when switching sites.
Comment 16•23 years ago
|
||
If you go to this page:
https://www.protusfax.com/protus/test/test_ref1.asp
There will be the page referer (if any) pulled out via ASP, and a relative link
to test_ref2.asp in the same directory. test_ref2.asp & test_ref1.asp are
exactly the same, except that their links po9int to the other page.
In Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.3) Gecko/20010801
(release 0.93) the referer is never sent.
Just so that there's no confusion, here is the back end ASP code:
[----CODE------]
<html>
<head>
</head>
<body>
<%Response.Write "Referer=" & Request.ServerVariables("HTTP_REFERER")%><br>
<br>
<a href="test_ref1.asp">HTTPS:// -> HTTPS:// (same box - relative link)</a>
</body>
</html>
[----CODE------]
This bug should be reopened.
Assignee | ||
Comment 17•23 years ago
|
||
if you try testing a more recent nightly build, you'll notice that the bug you
describe has been fixed. it was not fixed in mozilla 0.9.3.
Comment 18•23 years ago
|
||
Yep, the https->https case was fixed in bug 89995.
You need to log in
before you can comment on or make changes to this bug.
Description
•