[tahoe-dev] [tahoe-lafs] #127: Cap URLs leaked via HTTP Referer header

tahoe-lafs trac at allmydata.org
Thu Oct 29 06:34:50 UTC 2009


#127: Cap URLs leaked via HTTP Referer header
-------------------------------+--------------------------------------------
 Reporter:  warner             |           Owner:           
     Type:  defect             |          Status:  new      
 Priority:  major              |       Milestone:  undecided
Component:  code-frontend-web  |         Version:  0.7.0    
 Keywords:  security           |   Launchpad_bug:           
-------------------------------+--------------------------------------------

Comment(by davidsarah):

 The behaviour of Mozilla browsers for the secure -> secure case is
 controlled by this preference [note "rr" spelling]:

 http://kb.mozillazine.org/Network.http.sendSecureXSiteReferrer

 Summary: it does the wrong thing by default :-(

 (This preference controls when to send Referer in other cases:

 http://kb.mozillazine.org/Network.http.sendRefererHeader

 I just changed my Firefox config to '''never''' send it, i.e.
 {{{network.http.sendRefererHeader = 0}}} and
 {{{network.http.sendSecureXSiteReferrer = false}}}. I doubt anything will
 break.)

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/127#comment:14>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list