Re: HTTPS local site -> HTTP remote destination & referer pass-through

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Tom et al.

hm, OK. I've noticed that some sites do exactely what we need in our case: disobeying this "SHOULD NOT" in RFC 2616. E.g. I'm logged in at Facebook and click a link to one of the sites I have log access to. I'm using HTTPS at the Facebook site. The referer header appears within my apache log. Which kind of tech would make this available? Maybe a proxy in front of the apache? Header rewriting?

Cheers,
Chris
 
On 15.12.2011, at 12:58, Tom Evans wrote:

> On Thu, Dec 15, 2011 at 10:59 AM, Christoph Pilka
> <christoph.pilka@xxxxxxxxxxxxxx> wrote:
>> Howdy,
>> 
>> according to RFC 2616 chapter 15.1.3 "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol" which makes sense in certain circumstances because of sensitive data the HTTPS request would hand over. But is there any way to configure the HTTPS site's Apache to strip down this behaviour and tell the web server to only deliver the hostname within the referer header? In our case we need some kind of solution to pass-through the referer to external HTTP sites for evaluation purposes. Our site uses purely HTTPS. Many thanks in advance for any hints.
>> 
>> Cheerio,
>> Chris
>> 
> 
> No, there is no way for a http server to tell a client "Actually, go
> ahead and disobey that RFC".
> 
> Cheers
> 
> Tom
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux