开发者

Referer header when linking to a non-SSL site, from an SSL site

开发者 https://www.devze.com 2023-01-22 04:49 出处:网络
Section 15.1.3 in RFC 2616 states: Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol

Section 15.1.3 in RFC 2616 states:

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol

However, I know many browsers have bugs and don't always follow spec, plus it only says SHOULD NOT, instead of MUST NOT. So my question is therefore:

1) Is there any browser (past, present, or beta) that breaks spec and DOES send the referer header when a request is made from a secure site

2) Are there any tools, browser plugins, or any way at all to modify a browser to break spec and send the referer header when making such a request

3) Is there any official sounding source, or load of in开发者_Python百科formation from security pros about this problem anywhere on the web that I can look at.

For a bit of background, this is part of a security review of my app which runs over SSL, and the spec is that no referer information should be sent to 3rd party sites. My testing has found no browser that will send the referer header in this scenario, but I would like to be very confident that I'm right.


By default in Firefox, if the 3rd-party site is over HTTPS, the referer header will be sent, according to the network.http.sendSecureXSiteReferrer option (accessible via about:config in the address bar).

0

精彩评论

暂无评论...
验证码 换一张
取 消