Closed Bug 89243 Opened 23 years ago Closed 23 years ago

HTTP_REFERER is empty if form is posted in a SSL secured frame

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Other Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 89995

People

(Reporter: Webmaster, Assigned: ssaux)

Details

I do extra checkings on HTTP_REFERER if a form is posted. When I post a form in a frameset which is SSL secured (and the rest of the frameset isn't), the HTTP_REFERER is empty. When the form is posted in a completely secured page (without frames), the HTTP_REFERER is not empty.
Changed product to PSM.
Assignee: wtc → ssaux
Component: Build → Daemon
Product: NSS → PSM
QA Contact: wtc → junruh
Version: 3.0 → unspecified
ccing mstoltz. Chances are, this is correct behavior -- posting from secure to insecure should drop the referrer for privacy reasons.
In this case, I am posting from a secure page to a secure page. (I made a mistake in the description. The first word 'frameset' should be read as 'frame')
Dup. of 89995. The right thing to do with referrers from a secure page is to only provide them when the form target is on the same secure server as the page the form appears on. The current behavior is to not supply it ever. Bug 89995 was filed to address that. *** This bug has been marked as a duplicate of 89995 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
verified.
Status: RESOLVED → VERIFIED
Product: PSM → Core
You need to log in before you can comment on or make changes to this bug.