?

Log in

No account? Create an account
brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Firefox 1.0/1.1 bug? [May. 8th, 2005|05:28 am]
Brad Fitzpatrick
[Tags|]

Both Firefox 1.0.3 and the almost-1.1 nightly builds have an interesting feature/bug.

You can dynamically load JavaScript (from any URL) from Javascript and Firefox won't send along the HTTP Referer (sic) header.

Test with, say:
function js_include (uri) {
  var se = document.createElement("script");
  se.src = uri;
  document.body.appendChild(se);
}

....

js_include("http://victim.example.com/");
Now, imagine if every LJ page contained that. Every LJ user could be DoS'ing some other site, with no Referer header saying we requested it.

Dear Lazyweb, tell me what other browsers do/send. I'd go upstairs and use IE on Dina's laptop but I'm too lazy to install ethereal on it. Plus I should go back to bed.

Update: Couldn't sleep. Results:

Firefox/1.0.2 (Debian package 1.0.2-2): No Referer
Firefox/1.0.1 (Windows): Referer
IE 6: Referer

So is this a regression from 1.0.1 to 1.0.2, or is it a Linux/Windows thing?

Update#2:
Firefox/1.0.1 (Linux, not Debian): No Referer

Looking like a Linux thing.
LinkReply

Comments:
[User Picture]From: iconoclast
2005-05-08 01:01 pm (UTC)
Well, crap.
(Reply) (Thread)
[User Picture]From: j7xz49br3m93xrr
2005-05-08 01:28 pm (UTC)
FireFox 1.0 (not 1.0.x) on Mac - No referrer
Safari - that code doesn't work, but using a hard coded <script>.. no referrer
(Reply) (Parent) (Thread)
[User Picture]From: brad
2005-05-08 01:32 pm (UTC)
Sad it doesn't work in Safari... I wonder why.

Really bizarre tho that a static script element wouldn't send a referer.
(Reply) (Parent) (Thread)
[User Picture]From: j7xz49br3m93xrr
2005-05-08 02:32 pm (UTC)
I just looked around and found several references that this is an accepted problem with Safari (even seems to affect the latest Safari with Tiger).. scripts referenced in dynamically created elements are never loaded. Here's the <a href="http://www.xs4all.nl/~zanstra/inTec/safariIdea/script.htm'>test case.</a> None of these work in Safari for me.
(Reply) (Parent) (Thread)
[User Picture]From: boggyb
2005-05-08 01:40 pm (UTC)
Bear in mind quite a few Windows firewalls/ad-killers eat the Referer header, as it's commonly used with ads and web beacons to track visited sites. Referer header + doubleclick cookie = web history.
(Reply) (Thread)
[User Picture]From: brad
2005-05-08 01:41 pm (UTC)
I have neither on my Linux box, and the Windows box is the one sending Referer headers.
(Reply) (Parent) (Thread)
[User Picture]From: boggyb
2005-05-08 01:43 pm (UTC)
I know, it's just something to bear in mind. Personally I turn off the referer eating, but the default is to eat them. I remember running into problems with that when a site started running referer checking, and wouldn't let you through *unless* it saw a referer header that it liked. A missing referer header was rejected. Very annoying it was, until someone fixed it.
(Reply) (Parent) (Thread)
[User Picture]From: ydna
2005-05-08 04:40 pm (UTC)
Questionable data collection technique: 1) put the code live into every page of LJ, 2) aim the target somewhere you can log agent data, and 3) analyze.
(Reply) (Thread)
[User Picture]From: jwz
2005-05-08 09:44 pm (UTC)
For some reason, people who write web browsers have generally been completely incompetent at getting the Referer header generated properly (sending the wrong one when you hit "Back"; sending whatever page was previously loaded into the current window; and shit like that.) I don't think Mac versions of Netscape ever got it right.
(Reply) (Thread)
[User Picture]From: brad
2005-05-08 10:01 pm (UTC)
It looks like there are about 3 dozen Referer bugs in bugzilla.mozilla.org right now, all like what you described: wrong/missing referrers when anything halfway different is done.
(Reply) (Parent) (Thread)
[User Picture]From: andrewducker
2005-05-09 06:34 am (UTC)

Thank goodness

If it's just a Linux thing then you can't do a headerless DDOS - yet. Let's hope they fix it before Linux hits the mainstream desktop.
(Reply) (Thread)
[User Picture]From: taral
2005-05-10 02:26 am (UTC)
Definitely a Linux thing... Windows Firefox 1.0+ (today) has a referer sent.
(Reply) (Thread)
From: legolas
2005-05-11 08:49 pm (UTC)
What I don't get is how a relatively platform independent and 'high level' thing like sending a referrer header can be platform dependant (or at least the bugs in it are)...
(Reply) (Parent) (Thread)
[User Picture]From: brad
2005-05-11 11:07 pm (UTC)
I know! I don't get it either... just reporting what I saw.
(Reply) (Parent) (Thread)