Closed Bug 89995 Opened 23 years ago Closed 23 years ago

WRMB: http referrer from https should be supplied when target is same secure server

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.1

People

(Reporter: ssaux, Assigned: ddrinan0264)

References

Details

(Keywords: topembed, Whiteboard: [ckritzer])

Attachments

(3 files)

Patch for review.
(deleted), patch
Details | Diff | Splinter Review
Updated patch.
(deleted), patch
Details | Diff | Splinter Review
log file from https server showing referrer from same server
(deleted), text/plain
Details
see bug 82479. We made sure that we would not send the referrer from https to http but the implementation also removed the referrer in the case when the request is to the same encrypted server. This is unnecessary broad.
t->2.1
Keywords: nsenterprise
Priority: -- → P2
Target Milestone: --- → 2.1
*** Bug 89243 has been marked as a duplicate of this bug. ***
Priority: P2 → P1
Attached patch Patch for review. (deleted) — Splinter Review
ddrinan: you should really use SchemeIs in place of GetScheme/strcmp.
You should be using strcasecmp to compare the schemes and the hosts, since both of those are case insensitive, according to the appropriate RFCs.
adding patch keyword.
Keywords: patch
Attached patch Updated patch. (deleted) — Splinter Review
r=bbaetz. The spec says (RFC2616, 15.1.3): " Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol." Should we check ports as well, or let it through anyway?
ddrinan, sr=darin provided you fix the indentation to make it consistent with the rest of nsHttpChannel.cpp (4 spaces of indentation).
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Fix checked in.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
keywords->verifyme
Keywords: patchverifyme
bbaetz has informed me that this bug is needed for the branch. Re-opening and adding keyword topembed.
Status: RESOLVED → REOPENED
Keywords: topembed
Resolution: FIXED → ---
sr=blizzard
this is a war room bug that we'ed like to get on the 0.9.2 branch
Summary: http referrer from https should be supplied when target is same secure server → WRMB: http referrer from https should be supplied when target is same secure server
Approved for check in to the branch by verbal comment from chofmann.
Checked into the 0.9.2 branch. Marking fixed.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
Blocks: 87417
Did this re-break in 0.9.3? 0.9.3 on Linux (RH7.1), I'm very clearly not getting the referer (sic referrer) header when going from one https document to a linked https document on the same server.
Just to add a clarification... the problem I'm seeing is https->https, which is technically different than this bug. BUT... this worked properly in 0.9.1, so the patch for this bug may have had the unintended side effect of messing up https->https.
This fix did not make it in to 0.9.3. It's checked into the 0.9.2 branch and the trunk.
Whiteboard: [ckritzer]
*** Bug 93310 has been marked as a duplicate of this bug. ***
*** Bug 97303 has been marked as a duplicate of this bug. ***
*** Bug 100289 has been marked as a duplicate of this bug. ***
Verified fixed.
Status: RESOLVED → VERIFIED
QA Contact: ckritzer → junruh
*** Bug 103838 has been marked as a duplicate of this bug. ***
*** Bug 96912 has been marked as a duplicate of this bug. ***
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Keywords: verifyme
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: