Brad Fitzpatrick (brad) wrote,
Brad Fitzpatrick
brad

Firefox 1.0/1.1 bug?

Both Firefox 1.0.3 and the almost-1.1 nightly builds have an interesting feature/bug.

You can dynamically load JavaScript (from any URL) from Javascript and Firefox won't send along the HTTP Referer (sic) header.

Test with, say:
function js_include (uri) {
  var se = document.createElement("script");
  se.src = uri;
  document.body.appendChild(se);
}

....

js_include("http://victim.example.com/");
Now, imagine if every LJ page contained that. Every LJ user could be DoS'ing some other site, with no Referer header saying we requested it.

Dear Lazyweb, tell me what other browsers do/send. I'd go upstairs and use IE on Dina's laptop but I'm too lazy to install ethereal on it. Plus I should go back to bed.

Update: Couldn't sleep. Results:

Firefox/1.0.2 (Debian package 1.0.2-2): No Referer
Firefox/1.0.1 (Windows): Referer
IE 6: Referer

So is this a regression from 1.0.1 to 1.0.2, or is it a Linux/Windows thing?

Update#2:
Firefox/1.0.1 (Linux, not Debian): No Referer

Looking like a Linux thing.
Tags: lazyweb
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 14 comments