[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Roberto Bayardo
roberto.bayardo at gmail.com
Tue Sep 27 15:37:18 UTC 2005
> Web browsers don't leek https URLs in the Referer header.
Not in my experience. For example, using both IE 6 and Mozilla 1.7.10,
consider the following log snapshot:
9.49.221.110 <http://9.49.221.110> - - [27/Sep/2005:15:24:27 +0000] "GET
/images/unknown2.gif HTTP/1.1" 200 1006 "
https://bayardo.userv.ibm.com/stuff/" "Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.7.10) Gecko/20050716"
9.49.221.110 <http://9.49.221.110> - - [27/Sep/2005:15:24:27 +0000] "GET
/images/source_java.gif HTTP/1.1" 200 1031 "
https://bayardo.userv.ibm.com/stuff/" "Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.7.10) Gecko/20050716"
....
9.49.221.110 <http://9.49.221.110> - - [27/Sep/2005:15:27:35 +0000] "GET
/images/txt.gif HTTP/1.1" 200 1030 "https://bayardo.userv.ibm.com/stuff/"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
9.49.221.110 <http://9.49.221.110> - - [27/Sep/2005:15:27:36 +0000] "GET
/images/unknown2.gif HTTP/1.1" 200 1006 "
https://bayardo.userv.ibm.com/stuff/" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1)"
This is from the log of a webserver with domain
"w3.userv.ibm.com<http://w3.userv.ibm.com>"
(an internal domain so it won't work for you :-) which hosts images
referenced by pages on the server
bayardo.userv.ibm.com<http://bayardo.userv.ibm.com>.
Both servers are accessed using HTTPS, both servers use different SSL certs
issued by different CAs. They share the same top level domain, but I don't
know if that's significant (if it is, it shouldn't be!).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zgp.org/pipermail/p2p-hackers/attachments/20050927/24a63e41/attachment.htm
More information about the P2p-hackers
mailing list