Re: [whatwg] Referer header sent with <a ping>? from Philip Taylor on 2008-02-12 (public-html@w3.org from February 2008)

From: Philip Taylor <pjt47@cam.ac.uk>
Date: Tue, 12 Feb 2008 21:54:25 +0000
To: Kornel Lesinski <kornel@geekhood.net>
CC: Julian Reschke <julian.reschke@gmx.de>, "public-html@w3.org" <public-html@w3.org>
Message-ID: <47B21591.9030903@cam.ac.uk>

Kornel Lesinski wrote:
> 
> On Sun, 10 Feb 2008 10:42:47 -0000, Julian Reschke 
> <julian.reschke@gmx.de> wrote:
> 
>> So you're saying that recipients treat the absence of a Referer header 
>> as indication the offering page was from the same origin? That would 
>> IMHO be contrary to what RFC2616 defines (the absence of the Referer 
>> header means that the Referrer either doesn't have a URI, or the 
>> client doesn't want to reveal it).
> 
> If client does not reveal referrer, the website can't tell if request 
> was local or from another site. In order to avoid blocking legitimate 
> requests (local request from client/proxy that hides referrer) websites 
> have to accept all requests without Referer.
> 
>> Pointers, please.
> 
> The easiest example to find is anti-hotlinking code which deals with the 
> same issue:  [...]

The cost of false negatives in anti-hotlinking code is very small - it 
just results in a tiny amount of bandwidth usage from the users who 
don't send Referers, and still has the desired effect of making image 
hotlinking useless since it will block almost all users. It isn't 
inferring any trust based on the lack of Referer.

It's quite a different situation when the Referer is used as a security 
measure in deciding to trust a user's request, where false negatives can 
have significant consequences (like editing data via cross-site request 
forgery). That is the situation where <a ping> mustn't introduce new risks.

I looked for some examples of code that checks the Referer for security, 
and found:

http://google.com/codesearch?q=show:BILmTBaOV7w:J2LE5gqHQ64:eBTzqE7cT8s&cs_p=http://wphooks.flatearth.org&cs_f=hooks/check_admin_referer/-001#first

http://google.com/codesearch?q=show:H3ulLINfCo0:QkWYPi2-xVM:o8NYFfBdVkY&cs_p=http://freshmeat.net/redir/punbb/46741/url_tgz/punbb-1.2.15.tar.gz&cs_f=punbb-1.2.15/upload/include/functions.php#l671

http://google.com/codesearch?q=show:J2QBLfV3jjo:NRV5Vj3R4SI:1curwdNzfbk&cs_p=ftp://t3domains.de/pub/TYPO3-complete-package/current-version/yamlt3-V4.5.0.zip&cs_f=yamlt3/typo3/sysext/cms/tslib/class.tslib_fe.php#l2106

http://google.com/codesearch?q=show:cFRMv4O2bGI:eriQ8VkTUd4:dQQ6OTNA-Bs&cs_p=https://svn.radicaldesigns.org/amp/trunk&cs_f=punbb/admin_options.php#l41

http://google.com/codesearch?q=show:2v0x4p249hg:NM4BWguMEFY:lqNJFi-SHlc&cs_p=http://scoop.kuro5hin.org/dist/releases/scoop_1.1.7.tar.gz&cs_f=scoop-1.1.7/lib/Scoop/Admin.pm#l8

http://google.com/codesearch?q=show:aVoQhiwqoGk:-V6ZnWGm9lc:vBMeJnZMb1M&cs_p=http://www.dcscripts.com/localFTP/gdcf625.tar.gz&cs_f=./dcf625/cgi-bin/dcforum/dcboard.cgi#l344

If I'm not misreading the code, they all deny access if the Referer is 
absent (i.e. they default to 'safe', at the cost of blocking a small 
number of users). So it would not introduce any new vulnerabilities in 
those cases if <a ping> sent requests with no Referer.

I haven't yet seen any code which assumes a missing Referer should be 
trusted like a local Referer when performing some action (though 
obviously that's not evidence that such things don't exist).

-- 
Philip Taylor
pjt47@cam.ac.uk

Received on Tuesday, 12 February 2008 21:54:44 UTC