[622] in WWW Security List Archive
Re: HTTP "Referer" field considered harmful
daemon@ATHENA.MIT.EDU (wmperry@spry.com)
Tue Apr 25 00:50:30 1995
From: wmperry@spry.com
Date: Mon, 24 Apr 95 18:42 PDT
To: Paul Phillips <psphilli@sdcc8.UCSD.EDU>
Reply-to: wmperry@spry.com
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.3.89.9504241728.A7410-0100000@sdcc8.ucsd.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Paul Phillips writes:
>
> On Mon, 24 Apr 1995, Prentiss Riddle wrote:
>
> > As a webmeister, I like the idea behind the Referer field and plan to
> > make more use of it to determine what sites are pointing at mine.
> > Perhaps the real problem lies in assuming that URLs will remain secret
> > and therefore assuming that they are an appropriate mechanism for
> > passing secrets or performing session authentication.
>
> The http spec has (and has had) this to say about it:
>
> Note: Because the source of a link may be considered private
> information or may reveal an otherwise secure information
> source, it is strongly recommended that the user be able to
> select whether or not the Referer field is sent. For
> example, a browser client could have a toggle switch for
> browsing openly/anonymously, which would respectively
> enable/disable the sending of Referer and From information.
>
> I am unaware of any browsers that implement this option (not to say that
> none do, but if it exists on any that I use, it's well hidden.) This is
> far from a complete solution, because it relies on the user not to
> redistribute the URL rather than keeping it under the control of the
> server. It is part and parcel in the protocol that the user must know the
> URL, though, because the browser had to open to it in the first place.
> Thus you are correct that assuming a URL will remain secret is inherently
> insecure.
One way to get around this would be to say that browsers should never
send the 'query' part of a URL in a Referer: field.
-Bill P.
