W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

GET and referer security considerations

From: Koen Holtman <koen@win.tue.nl>
Date: Tue, 1 Jul 1997 20:13:12 +0200 (MET DST)
Message-Id: <199707011813.UAA05139@wsooti08.win.tue.nl>
To: Hallam-Baker <hallam@ai.mit.edu>
Cc: http-wg@cuckoo.hpl.hp.com
Hallam-Baker:
>
[...]
>Specifically I I have a confidential document P that links to Q I may want
>to instruct browsers not to pass on the referer field. It seems to me that
>this would be an easy enhancement to add to the spec but what the best
>way of transporting this information is I'm not sure.
[...]

This reminds me....  Some time ago, I read a report (in the RISKS
digest?) of the following case:

- user submits confidential information (e.g. credit card number) to a
  server, using a form
- form submission is nicely secure (SSL I believe)
- however, the form was submitted with a GET request
- and the form result contained a link to page on another server.

Result: the other server had things like

 https://blah.com/cgi/buy-cd?creditcard=2034872398472340

appearing in its referer log file.

This case suggests to me two additions to the HTTP/1.1 security
considerations section:

- User agents SHOULD NOT include a referer field in a (non-secure) HTTP
  request if the referring page was transferred with a secure protocol.

- Web servers SHOULD NOT use GET based forms for the submission
  of sensitive data, because this will cause this data to be encoded in
  the request URI, and many existing servers, proxies, and user agents
  will log the request URI in some place where it may be visible to
  third parties.  Servers can use POST based form submission instead.


Koen.
Received on Tuesday, 1 July 1997 11:15:33 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:45 EDT