[Phpmyadmin-devel] Redirecting external links
Isaac Bennetch
bennetch at gmail.com
Mon Jan 31 17:52:08 CET 2011
Hi,
On 1/31/2011 9:34 AM, Michal Čihař wrote:
> Hi all
>
> when going to other page, browsers sends Referer header to the next
> server. This could obviously leak some information from the original
> website. Given that we might include in URL possibly sensitive
> information (eg. SQL query), I've added redirector (url.php) inside
> phpMyAdmin, what hides all the parameter and all what the next site can
> see is<PmaAbsoluteUri>/url.php?url=<URL where you go>.
Yes, this seems good.
> On the other side, user might want to hide<PmaAbsoluteUri> as well.
> This can be only achieved by using some external redirector, for
> example we could place one at phpmyadmin.net. Any opinions about that?
I think it's not worth the hassle. While I do understand that some users
may want to hide their URL as an additional layer of security, there are
some very good questions being asked about what happens if the
redirector is down, if it can handle/is permitted to handle the amount
of traffic we could potentially generate, and most importantly about the
likelihood of the redirector itself collecting the referrer information.
Not to mention the question of whether it's phpMyAdmin's responsibility
to obscure this in the first place (for the truly paranoid, there are
ways to accomplish this across an entire system, rather than a single
application).
I vote no, for what that's worth.
On 1/31/2011 10:04 AM, Marc Delisle wrote:
> How about generating these redirections via js? I have seen this
somewhere.
Perhaps you're referring to the use of an iframe + javascript such as is
described at
http://www.knowlegezone.com/documents/75/Hide-referer-IE-and-Firefox/
More information about the Developers
mailing list