[tahoe-dev] [tahoe-lafs] #127: Cap URLs leaked via HTTP Referer header

tahoe-lafs trac at allmydata.org
Thu Oct 29 06:11:29 UTC 2009


#127: Cap URLs leaked via HTTP Referer header
-------------------------------+--------------------------------------------
 Reporter:  warner             |           Owner:           
     Type:  defect             |          Status:  new      
 Priority:  major              |       Milestone:  undecided
Component:  code-frontend-web  |         Version:  0.7.0    
 Keywords:  security           |   Launchpad_bug:           
-------------------------------+--------------------------------------------

Comment(by davidsarah):

 Replying to [comment:9 zooko]:
 > http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3

 >  * "Clients SHOULD NOT include a Referer header field in a (non-secure)
 HTTP request if the referring page was transferred with a secure
 protocol."

 I have heard someone, I think Tyler Close, say that clients interpret this
 in a stupidly literal way: they do include the Referer header in an HTTP-
 over-SSL/TLS request -- because that is not a "non-secure" request -- when
 the referring page was also transferred over HTTP-over-SSL/TLS, even if
 the keys or domains are different.

 Also, http://community.livejournal.com/lj_dev/707379.html seems to suggest
 that non-Mozilla browsers do not follow the above restriction on sending
 Referer at all -- although that was in 2006.

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/127#comment:13>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list