Log in

No account? Create an account
brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Firefox 1.0/1.1 bug? [May. 8th, 2005|05:28 am]
Brad Fitzpatrick

Both Firefox 1.0.3 and the almost-1.1 nightly builds have an interesting feature/bug.

You can dynamically load JavaScript (from any URL) from Javascript and Firefox won't send along the HTTP Referer (sic) header.

Test with, say:
function js_include (uri) {
  var se = document.createElement("script");
  se.src = uri;


Now, imagine if every LJ page contained that. Every LJ user could be DoS'ing some other site, with no Referer header saying we requested it.

Dear Lazyweb, tell me what other browsers do/send. I'd go upstairs and use IE on Dina's laptop but I'm too lazy to install ethereal on it. Plus I should go back to bed.

Update: Couldn't sleep. Results:

Firefox/1.0.2 (Debian package 1.0.2-2): No Referer
Firefox/1.0.1 (Windows): Referer
IE 6: Referer

So is this a regression from 1.0.1 to 1.0.2, or is it a Linux/Windows thing?

Firefox/1.0.1 (Linux, not Debian): No Referer

Looking like a Linux thing.

[User Picture]From: j7xz49br3m93xrr
2005-05-08 01:28 pm (UTC)
FireFox 1.0 (not 1.0.x) on Mac - No referrer
Safari - that code doesn't work, but using a hard coded <script>.. no referrer
(Reply) (Parent) (Thread)
[User Picture]From: brad
2005-05-08 01:32 pm (UTC)
Sad it doesn't work in Safari... I wonder why.

Really bizarre tho that a static script element wouldn't send a referer.
(Reply) (Parent) (Thread)
[User Picture]From: j7xz49br3m93xrr
2005-05-08 02:32 pm (UTC)
I just looked around and found several references that this is an accepted problem with Safari (even seems to affect the latest Safari with Tiger).. scripts referenced in dynamically created elements are never loaded. Here's the <a href="http://www.xs4all.nl/~zanstra/inTec/safariIdea/script.htm'>test case.</a> None of these work in Safari for me.
(Reply) (Parent) (Thread)