Hi all,
2011/1/31 Michal Čihař michal@cihar.com:
Hi all
when going to other page, browsers sends Referer header to the next server. This could obviously leak some information from the original website. Given that we might include in URL possibly sensitive information (eg. SQL query), I've added redirector (url.php) inside phpMyAdmin, what hides all the parameter and all what the next site can see is <PmaAbsoluteUri>/url.php?url=<URL where you go>.
On the other side, user might want to hide <PmaAbsoluteUri> as well. This can be only achieved by using some external redirector, for example we could place one at phpmyadmin.net. Any opinions about that?
Would it be default behaviour to redirect through phpmyadmin.net, or is at an option? What if phpmyadmin.net is unavailable (down, or not reachable by the network where a local version of pma is installed), will links in PMA not work? If an external redirector is used, isn't the Referer sent with the HTTP request header, traveling the internet in cleartext?
PS: The referrer should not be sent when original site is using HTTPS, quoting RFC:
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
-- Michal Čihař | http://cihar.com | http://blog.cihar.com
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel