Fwd: [Bug 22558] referrer leaks through to non-referring site

Waldo Bastian bastian at kde.org
Tue Jul 8 13:46:23 BST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 07 July 2003 15:52, Waldo Bastian wrote:
> On Sunday 06 July 2003 18:03, Waldo Bastian wrote:
> > On Saturday 05 July 2003 22:39, George Staikos wrote:
> > > Now the question is, did my changes expose this?
> >
> > With my build from the 3.1 branch (without your partial fix for 60479) I
> > notice the problem when entering the URL in the location bar and when
> > pasting the URL with MMB. I can't reproduce it by selecting the url as
> > bookmark.
> >
> > The bad part is that the referrer here includes username and password as
> > well, so I guess the khtml fix is needed after all.
>
> Attached are two patches as a partial fix to the referrer problem. It
> changes the way how d->m_pageReferrer is set within KHTMLPart: It is now
> set according to the information that it gets back from the io-slave (http
> slave). This ensures that the document.referrer is better synced to the
> actual referrer send by the http-slave. It also makes it possible to have
> all referrer logic in kio_http instead of having it to duplicate in
> multiple places.
>
> Also attached is a test-case. They should be installed on a php-enabled
> webserver and accessed via http. The following tests should be done with
> the test-case:
>
> (1) Browse from referrer.php to referrer2.php to referrer3.php via the
> links on the pages.
> - The referrer should point to the previous page in each instance.
>
> (2) Use the back button to go back.
> - The referrers should not have changed, both referrers on referrer2.php
> should still point to referrer.php.
>
> (3) Reload the page.
> - The referrers should not change, both referrers on referrer2.php should
> still point to referrer.php.
>
> (4) Browse to referrer3.php via the link on the referrer2.php page. Then
> visit 15 other pages (To flush the page-cache for referrer2.php) and clear
> the cache. Now go back to referrer2.php using the history.
> - The referrers should not change, both referrers on referrer2.php should
> still point to referrer.php.
>
> (5) Go to referrer3.php and then enter referrer2.php in the location bar.
> - Both referrers should be empty.
>
> (6) Go to referrer.php and browse to referrer2.php. Now enter referrer2.php
> in the location bar.
> - Both referrers should be empty.
>
> (7) Go to referrer.php and browse to referrer2.php. Now enter
> referrer2.php#bla in the location bar.
> - Both referrers should not change, both referrers on referrer2.php should
> still point to referrer.php.
>
> (8) Go to referrer.php and browse to referrer2.php. Now click on
> "Javascript reload".
> - Both referrers should not change, both referrers on referrer2.php should
> still point to referrer.php.
>
> (9) Go to referrer.php and browse to referrer2.php and bookmark it. Go to
> referrer3.php and then go to referrer2.php using the bookmark.
> - Both referrers should be empty.
>
> (10) While still on referrer2.php select the referrer2.php bookmark again.
> - Both referrers should be empty.
>
> (11) Go to referrer2.php and select "Redirection to referrer3.php". You
> should end up on referrer3.php.
> - Both referrers should point to referrer2.php
>
> (12) Go to http://foo:bar@<host>/<path>/referrer.php (Fill in <host> and
> <path> accordingly) and browse to referrer2.php
> - Neither referrer should contain either foo or bar.
>
> With the patches below applied, Konqueror still fails on test (3) and (8).
> After applying the patches and installing make sure that your konqueror is
> actually using the new khtml and the new kio_http. You may need to kill any
> existing kio_http process first and you may wish to flush the kio_http
> cache with "kio_http_cache_cleaner --clear-all".
>
> I have tested Netscape 4.x which breaks on (12)
>
> Open issues:
> A) What should the behavior be when accessing the files via file:/ instead
> of http? NS 4.x sets document.referrer in that case. (Note that Konqueror
> doesn't the file at all unless renamed it to .html) Konqueror leaves
> document.referrer empty.
> B) What should the behavior be when accessing a file via http:// but linked
> from a file:/ URL? NS 4.x sets document.referrer to the file:/ url in that
> case. Konqueror leaves document.referrer empty.
>
> I would appreciate it if people could verify the behavior of other browsers
> wrt 1-12 and A & B.
>
> Additional test-cases are welcome.
>
> Cheers,
> Waldo

The attached konqueror patch takes care of (3) but (8) is still broken. I 
would appreciate it if someone could verify the above tests with other 
browsers so that we know that we pursue the correct semantics.

Cheers,
Waldo
- -- 
bastian at kde.org -=|[ SuSE, The Linux Desktop Experts ]|=- bastian at suse.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/Cr0fN4pvrENfboIRAtFMAJ4qo5HB3Ep/jWQPrtDOmbvgKaSOdQCdHqvv
wr+pndZohtAAcXZdAt5hMQE=
=dC2o
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: HEAD-kdebase-konqueror.patch
Type: text/x-diff
Size: 3105 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20030708/29d6a98f/attachment.patch>


More information about the kfm-devel mailing list