Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Referer: header (incorrectly) sent when typing a URL using the keyboard #360

Closed
Jul 2, 2024 · 4 comments
Closed

Referer: header (incorrectly) sent when typing a URL using the keyboard #360

Jul 2, 2024 · 4 comments

Comments

Copy link

Description

The browser always sends a Referer: header when navigating to a new HTTPS URL, even where that navigation is not the result of clicking a hyperlink or submitting a form. For example, when typing a URL using the keyboard, the domain of the previous page is leaked to the new site.

This violates RFC1945 §10.13, which states:

The Referer field must not be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard.

Steps to replicate

  1. Visit a URL, e.g. https://example.com/
  2. Into the address bar, manually type the URL of a HTTPS web page that reports the Referer: header back to you, e.g. https://www.whatismybrowser.com/, or https://requestheaders.dev/
  3. Observe that the header Referer: https://example.com/ is sent by the browser

Expected behavior

The Referer: header should never be sent on requests that originate from keyboard entry.

Screenshots

Screenshot showing WhatIsMyBrowser.com detecting example.com as the referrer, even though example.com has no links to WhatIsMyBrowser.com

Screenshot showing the Referer header as passed to RequestHeaders.dev
@fdellwing
Copy link
Contributor

fdellwing commented Jul 2, 2024
edited
Loading

This sounds like it might be related to #355

Copy link
Author

This sounds like it might be related to #355

I saw that issue. I think this might actually be the opposite problem:

  • LibWeb: Incorrect referrer header #355 sounds to me like it's about the Referer: header not being sent when requesting dependent resources (when it probably should, but it's not a violation of the HTTP specification to not do so).
  • This issue is about the Referer: header being sent when typing in a URL (when it definitely shouldn't!).

That said: I'm not familiar with the codebase so the two could very well be closely-related.

@fdellwing
Copy link
Contributor

fdellwing commented Jul 2, 2024
edited
Loading

#355 sounds to me like it's about the Referer: header not being sent

Nope, it's about the header being sent (in this case making one up out of thin air because we are in about:newtab) when it should not be sent -> directly browsing that ressource

Copy link
Author

Okay, you're probably right! Closing as duplicate!

not planned Won't fix, can't repro, duplicate, stale Jul 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fdellwing