[Phpmyadmin-devel] Redirecting external links

Michal Čihař michal at cihar.com
Mon Jan 31 15:34:10 CET 2011


Hi all

when going to other page, browsers sends Referer header to the next
server. This could obviously leak some information from the original
website. Given that we might include in URL possibly sensitive
information (eg. SQL query), I've added redirector (url.php) inside
phpMyAdmin, what hides all the parameter and all what the next site can
see is <PmaAbsoluteUri>/url.php?url=<URL where you go>.

On the other side, user might want to hide <PmaAbsoluteUri> as well.
This can be only achieved by using some external redirector, for
example we could place one at phpmyadmin.net. Any opinions about that?

PS: The referrer should not be sent when original site is using HTTPS,
quoting RFC:

> Clients SHOULD NOT include a Referer header field in a
> (non-secure) HTTP request if the referring page was transferred with
> a secure protocol.

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110131/a555b09c/attachment.sig>


More information about the Developers mailing list