'Bug#35509: document.referer, top.document.referer - not defined in KHTML/LJS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-bugs-dist
Subject:    Bug#35509: document.referer, top.document.referer - not defined in KHTML/LJS
From:       Vadim Plessky <lucy-ples () mtu-net ! ru>
Date:       2001-12-01 18:33:12
[Download RAW message or body]

On Friday 30 November 2001 18:21, David Faure wrote:
|   On Wednesday 28 November 2001 23:45, Vadim Plessky wrote:
|   > Package: khtml
|   > Version: 3.0 (using KDE 2.2.2) (Linux Mandrake 8.0 i586)
|   > Severity: normal
|   > OS: Linux 2.4.3-20mdk i686
|   > Compiler: gcc version 2.96 (Linux-Mandrake 8.0 2.96-0.48mdk)
|   >
|   > document.referer, top.document.referer - are not defined in KHTML/KJS
|
|   The comment in the code says this is disabled for security reasons.
|   Is there any real-world website where this creates a problem ?

There are several cases when document.referer (returning refering page) is 
indeed required for web site access.
Example: www.astralon.ru (posting to the guest book)

Let me explain this a little bit.
There is a guest book on this site. To allow posting in this guestbook, 
webmaster is checking for coument.referer and doesn't allow posting when 
referer is empty or not equal to some required URL (posting form).
If you don't check for this, it's possible to make 100 000 postings within 
one hour and completely broke guest book.
In fact, with missing document.referer it's not possible to make posting with 
Konqueror.

I think the best we can do is to make docuemnt.referer configurable (switch 
On/Off), just like Cookies or JavaScript.

BTW: potential security (in fact, not Security but Privacy) risk enabling 
Cookies is much higher than with document.referer.
And, one more option in Konq make life very easy for security zealots: 
*disabling Javascript*.
With JavaScript disabled, I doubt you can read screen.width, document.referer 
or any other interesting JS/DOM object. 

-- 

Vadim Plessky
http://kde2.newmail.ru  (English)
33 Window Decorations and 6 Widget Styles for KDE
http://kde2.newmail.ru/kde_themes.html
KDE mini-Themes
http://kde2.newmail.ru/themes/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic