Closed Bug 724 Opened 26 years ago Closed 26 years ago

Referer: should not be sent from URL field

Categories

(MozillaClassic Graveyard :: Macintosh FE, defect, P2)

Product:
MozillaClassic Graveyard
Component:
Macintosh FE
Platform:
PowerPC
Mac System 7.5
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: trebor, Assigned: sdagley)

References

(
URL
)

Details

(Keywords: testcase)

Load page A (say, a hotmail page that has user information encoded into the URL). Enter the URL of page B (say, http://www.evil-hackers.com/) and load the page. The URL of the previously displayed page gets sent to evil-hackers.com, a clear security hole. Solution: when a new URL is entered into the netsite: line and loaded, clear the Referer: field. After all, there is no logical relationship between the old page and the new one, so no reason to send the referer:
Status: NEW → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Thanks for the reminder. I had fixed this bug in 4.06 but forgot to merge the change into Mozilla. It should show up in the next build after 9/4.
QA Contact: 4082
Greg -- please verify -- thanks
Status: RESOLVED → VERIFIED
As far as I can tell using a simple sample test case this appears to work properly with Jan 29 build of Seamonkey on Mac.
changed summary for clarity.
Summary: Referer field incorrectly set when new URL entered into Netsite: line → Referer: should not be sent from URL field
You really want to be reviewing MozillaClassic bugs? This one is definitely specific to the old Mac only FE code
sdagley: gotta get my testcase from somewhere :)
URL: http://www.mozilla.org/ (or any url)http://www.packetgram.com:81
Keywords: testcase
the refer logging for the testcase in the URL field is at: http://www.packetgram.com/pktg/mozilla/bugzilla/83038/referlog.txt
You need to log in before you can comment on or make changes to this bug.