[tahoe-dev] [tahoe-lafs] #127: Cap URLs leaked via HTTP Referer header
tahoe-lafs
trac at allmydata.org
Wed Oct 28 23:11:29 PDT 2009
#127: Cap URLs leaked via HTTP Referer header
-------------------------------+--------------------------------------------
Reporter: warner | Owner:
Type: defect | Status: new
Priority: major | Milestone: undecided
Component: code-frontend-web | Version: 0.7.0
Keywords: security | Launchpad_bug:
-------------------------------+--------------------------------------------
Comment(by davidsarah):
Replying to [comment:9 zooko]:
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3
> * "Clients SHOULD NOT include a Referer header field in a (non-secure)
HTTP request if the referring page was transferred with a secure
protocol."
I have heard someone, I think Tyler Close, say that clients interpret this
in a stupidly literal way: they do include the Referer header in an HTTP-
over-SSL/TLS request -- because that is not a "non-secure" request -- when
the referring page was also transferred over HTTP-over-SSL/TLS, even if
the keys or domains are different.
Also, http://community.livejournal.com/lj_dev/707379.html seems to suggest
that non-Mozilla browsers do not follow the above restriction on sending
Referer at all -- although that was in 2006.
--
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/127#comment:13>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid
More information about the tahoe-dev
mailing list