Re: Sending Referer [#144]

On Fri, Jun 12, 2009 at 4:13 PM, Henrik
Nordstrom<henrik@henriknordstrom.net> wrote:
> mån 2009-06-01 klockan 14:11 -0700 skrev Adam Barth:
>> As things stand, the document forbids user agents from always sending
>> the Referer header, preventing a browser-specific specification from
>> requiring this behavior.
>
> Browser specification in this case should be in the lines of "If the
> request was intitiated by reference from another object with a known URI
> then the Referer header SHOULD be sent indicating the URI of the
> referencing resource."

That is insecure.  For example, if the referring URI is an HTTPS URI,
then this would ask that user agents send the path and query string of
the HTTPS URI in the clear over the network, potentially disclosing
sensitive information in those parts of the URI, such as authorization
tokens.

Adam

Received on Friday, 12 June 2009 23:44:00 UTC