[Previous] [Next] [Index]
[Thread]
Re: HTTP "Referer" field considered harmful
Paul Phillips writes:
>
> On Mon, 24 Apr 1995, Prentiss Riddle wrote:
>
> > As a webmeister, I like the idea behind the Referer field and plan to
> > make more use of it to determine what sites are pointing at mine.
> > Perhaps the real problem lies in assuming that URLs will remain secret
> > and therefore assuming that they are an appropriate mechanism for
> > passing secrets or performing session authentication.
>
> The http spec has (and has had) this to say about it:
>
> Note: Because the source of a link may be considered private
> information or may reveal an otherwise secure information
> source, it is strongly recommended that the user be able to
> select whether or not the Referer field is sent. For
> example, a browser client could have a toggle switch for
> browsing openly/anonymously, which would respectively
> enable/disable the sending of Referer and From information.
>
> I am unaware of any browsers that implement this option (not to say that
> none do, but if it exists on any that I use, it's well hidden.) This is
> far from a complete solution, because it relies on the user not to
> redistribute the URL rather than keeping it under the control of the
> server. It is part and parcel in the protocol that the user must know the
> URL, though, because the browser had to open to it in the first place.
> Thus you are correct that assuming a URL will remain secret is inherently
> insecure.
One way to get around this would be to say that browsers should never
send the 'query' part of a URL in a Referer: field.
-Bill P.
Follow-Ups:
References: