[tahoe-dev] [tahoe-lafs] #127: Cap URLs leaked via HTTP Referer header

tahoe-lafs trac at allmydata.org
Thu Oct 29 09:11:25 PDT 2009


#127: Cap URLs leaked via HTTP Referer header
-------------------------------+--------------------------------------------
 Reporter:  warner             |           Owner:           
     Type:  defect             |          Status:  new      
 Priority:  major              |       Milestone:  undecided
Component:  code-frontend-web  |         Version:  0.7.0    
 Keywords:  security           |   Launchpad_bug:           
-------------------------------+--------------------------------------------

Comment(by zooko):

 Last year I asked Collin Jackson (who knows a good deal about web
 security) how to automatically prevent Referer Headers from being sent.
 He repied:

   Most of the techniques involve making the request come from a non-HTTP
 scheme. The browser usually won't bother to send a Referer in this case.

   Option A: ftp scheme

   {{{
   ftp://site.com/source.html
   }}}

   Option B: about:blank scheme

   {{{
   w = window.open("");
   w.document.write("<form ...>");
   w.document.forms[0].submit();
   }}}

   Option C: javascript: scheme

   {{{
   window.location="javascript:'<script>window.location='...</script>'"
   }}}

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/127#comment:16>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid


More information about the tahoe-dev mailing list