W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: Sending Referer [#144]

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 12 Jun 2009 16:43:05 -0700
Message-ID: <7789133a0906121643ybcfd6aet11c7a30d9e136d7b@mail.gmail.com>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Jun 12, 2009 at 4:13 PM, Henrik
Nordstrom<henrik@henriknordstrom.net> wrote:
> mån 2009-06-01 klockan 14:11 -0700 skrev Adam Barth:
>> As things stand, the document forbids user agents from always sending
>> the Referer header, preventing a browser-specific specification from
>> requiring this behavior.
>
> Browser specification in this case should be in the lines of "If the
> request was intitiated by reference from another object with a known URI
> then the Referer header SHOULD be sent indicating the URI of the
> referencing resource."

That is insecure.  For example, if the referring URI is an HTTPS URI,
then this would ask that user agents send the path and query string of
the HTTPS URI in the clear over the network, potentially disclosing
sensitive information in those parts of the URI, such as authorization
tokens.

Adam
Received on Friday, 12 June 2009 23:44:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:03 GMT