[627] in WWW Security List Archive
Re: HTTP "Referer" field considered harmful
daemon@ATHENA.MIT.EDU (wmperry@spry.com)
Tue Apr 25 14:37:58 1995
From: wmperry@spry.com
Date: Tue, 25 Apr 95 07:56 PDT
To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <9504251033.AA00591@sun.cse.bris.ac.uk>
Reply-to: wmperry@spry.com
Errors-To: owner-www-security@ns2.rutgers.edu
Steff Watkins writes:
> > On Mon, 24 Apr 1995, Prentiss Riddle wrote:
> > I am unaware of any browsers that implement this option (not to say that
> > none do, but if it exists on any that I use, it's well hidden.) This is
> > far from a complete solution, because it relies on the user not to
> > redistribute the URL rather than keeping it under the control of the
> > server. It is part and parcel in the protocol that the user must know the
> > URL, though, because the browser had to open to it in the first place.
> > Thus you are correct that assuming a URL will remain secret is inherently
> > insecure.
>
> Hello,
>
> from what I can tell, Netscape (all flavours) sets TWO environment
> variables that can be used to find the calling WWW page. These variables are
>
> HTTP_REFERER and REFERER_URL
>
> I've found that Xmosaic doesn't seem to set these variables. Lynx appears
> to set just the HTTP_REFERER variable. As to other browsers, I cannot
> comment.
Its the netsite _server_ that sets REFERER_URL - looks like they probably
added it in their for convenience sake as a bit of a diversion from the
CGI/1.1 spec.
> It appears to me that this should cause no-one any worries about any form
> of security. Netscape (I haven't tested other browsers) just sets these
> two variable to the last page that it visited.
But even having that last page can reveal things, ala the SATAN password,
or even just the names of machines on your internal net that you do not
want known to the outside world, or even parts of the filesystem, etc.
-Bill P.
