Bug 101264

Summary: document.open should set the outgoing Referer
Product: WebKit Reporter: Brad Vogel <bradavogel>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: UNCONFIRMED    
Severity: Normal CC: abarth, ap, bradavogel, wiebe
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
repro case none

Brad Vogel
Reported 2012-11-05 15:01:25 PST
Created attachment 172412 [details] repro case Browsers tested: Chrome Canary 25.0.1317.0 - FAIL Webkit Nightly 6.0.2 (7536.26.17, 537+) - FAIL Firefox 16.0.2 - PASS Repro steps: 1) Run the attached test.html with the web inspector open. 2) Click the Network tab and click icon-gold.png. Expected: The HTTP REFERER header is sent when requesting the image. Actual: Notice that the HTTP REFERER header isn't sent when requesting the image. This is because the iframe doesn't have a 'src' attribute. However, the iframe is created and written into by the parent page, so it should send the parent page's REFERER. This breaks sites that need to use a local iframe to sandbox css styles, and that iframe also loads external content that relies on HTTP REFERER.
Attachments
repro case (447 bytes, text/html)
2012-11-05 15:01 PST, Brad Vogel 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2012-11-06 14:57:15 PST
What is a "local" iframe?
Adam Barth
Comment 2 2012-11-06 15:10:46 PST
I thought I checked all these cases and made us match Firefox, but it sounds like I missed this one. Thanks for the report.
Brad Vogel
Comment 3 2012-11-06 15:28:08 PST
"Local iframe": an empty iframe without the 'src' attribute. E.g.: <iframe></iframe> <script> var iframe = document.querySelector('iframe'); iframe.open(); iframe.write('content'); iframe.close(); </script>
Matt Wiebe
Comment 4 2012-12-19 09:42:41 PST
I can confirm that IE 9 and 10 also set the HTTP Referer header properly in this use case. This is a particular problem for anyone using the WordPress Theme Customizer (which uses a src-less, dynamic iframe) in conjunction with any authenticated requests that rely on the Referer (eg Typekit) inside that iframe.
Brad Vogel
Comment 5 2013-04-04 17:02:34 PDT
Cross filed for Blink at https://code.google.com/p/chromium/issues/detail?id=226858
Note You need to log in before you can comment on or make changes to this bug.