0

I'm trying to address a privacy issue where the HTTP referer field is being populated after performing a HTTP POST.

In other words, I need to HTTP POST to retrieve some data from SITE A, and want to call SITE B. I want to ensure that the referer of the calling site (A) is never shown in the HTTP call to SITE B.

Is this possible?

makerofthings7
  • 60,103
  • 53
  • 215
  • 448
  • How is the POST being performed then? – millimoose Mar 10 '13 at 23:43
  • @millimoose Right now it's a redirect to a static page where the target page has a form to POST data. – makerofthings7 Mar 10 '13 at 23:47
  • @makerofthings7 Hm. This doesn't seem to be possible. Is it a viable solution to just punt on this and have the users install an appropriate browser extension? – millimoose Mar 10 '13 at 23:50
  • can you do the initial post via a jQuery ajax call and then a seperate call to site B? – Offbeatmammal Mar 10 '13 at 23:53
  • I'm confused .. you're making a request to A from the client? How does site B factor into that? Or are you making a request from site A to site B? In that case you're doing it on the server, right? – Explosion Pills Mar 10 '13 at 23:54
  • My internet is about to cut out (I'm heading into the subway / underground)... I'm trying to address this issue http://security.stackexchange.com/q/32402/396 – makerofthings7 Mar 11 '13 at 00:00

1 Answers1

0

I don't see any problem with this. First, using HTTPS well-behaving clients won't sent the referer to plain HTTP sites.

But the whole point in addressing this issue is that sensitive information shouldn't be transferred with the GET method (it may end in a log file for example). You (correctly) use POST to send the form to site A, so the URI should not be a privacy concern. If that's the case, remove the offending pieces of data and put them in the form served from A, so they are sent along with the POST submission.

Finally, the last time I checked it, most of the browsers don't send the named header.

Community
  • 1
  • 1
Raffaele
  • 20,627
  • 6
  • 47
  • 86