[625] in WWW Security List Archive
Re: HTTP "Referer" field considered harmful
daemon@ATHENA.MIT.EDU (Steff Watkins)
Tue Apr 25 10:25:24 1995
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
Date: Tue, 25 Apr 1995 11:33:08 +0100 (BST)
In-Reply-To: <Pine.3.89.9504241728.A7410-0100000@sdcc8.ucsd.edu> from "Paul Phillips" at Apr 24, 95 05:51:27 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> On Mon, 24 Apr 1995, Prentiss Riddle wrote:
> I am unaware of any browsers that implement this option (not to say that
> none do, but if it exists on any that I use, it's well hidden.) This is
> far from a complete solution, because it relies on the user not to
> redistribute the URL rather than keeping it under the control of the
> server. It is part and parcel in the protocol that the user must know the
> URL, though, because the browser had to open to it in the first place.
> Thus you are correct that assuming a URL will remain secret is inherently
> insecure.
Hello,
from what I can tell, Netscape (all flavours) sets TWO environment
variables that can be used to find the calling WWW page. These variables are
HTTP_REFERER and REFERER_URL
I've found that Xmosaic doesn't seem to set these variables. Lynx appears
to set just the HTTP_REFERER variable. As to other browsers, I cannot comment.
It appears to me that this should cause no-one any worries about
any form of security. Netscape (I haven't tested other browsers) just sets
these two variable to the last page that it visited.
So, in my case, I visit my local main WWW server (http://www.bris.ac.uk/)
and then I open the URL to my variable test page
(http://sw.cse.bris.ac.uk/public/env-vars.html) and it tells me I came from
http://www.bris.ac.uk/ even though there is NO link between that site and
my test page.
As such, wary Web travellers could "spoof" the URL of the places they have
come from and thus, avoid having some site trap the pages they have been to.
Note :- My variable test page is open to anyone who wants to use it!! *8)
http://sw.cse.bris.ac.uk/public/env-vars.html
Steff *8)
Steff.Watkins@bris.ac.uk
URL: Http://sw.cse.bris.ac.uk/public/pango.html
