Search
Search

why does Microsoft edge send empty http-referer on call of POST/REDIRECT/GET method if uri of request and response is same?

Nagesh Mhapadi Published at Dev
37
Nagesh Mhapadi

Currently, I'm working on Django1.11 project, I deployed my app using nginx with scheme 'https'. I want to submit form but don't want to resubmit same so i used POST/REDIRECT/GET pattern. Everything is working fine and as expected on Mozilla and chrome, i.e. for POST/REDIRECT/GET call will render the corresponding webpage, On reload & resubmit the same form will render 403 access denied as expected. The problem only occurs when I'm testing the same view in Microsoft EDGE browser. On calling POST/REDITECT/GET method, it directly throws me 403. The reason of 403 is 'REASON_NO_REFERER'. Microsoft Edge forwarding empty HTTP-referer while using POST/REDIRECT/GET pattern.

I found a patch for this:

Add <meta name="referrer" content="origin-when-cross-origin" /> in <head> of HTML template and now it's working fine for Edge also. But still, don't know what is wrong with Edge if I don't add this meta tag in the header. Also, Does it cause any security vulnerabilities?

Django explained why referer checking is a must.

Suppose a user visits http://example.com/
            # An active network attacker (man-in-the-middle, MITM) sends a
            # POST form that targets https://example.com/detonate-bomb/ and
            # submits it via JavaScript.
            #
            # The attacker will need to provide a CSRF cookie and token, but
            # that's no problem for a MITM and the session-independent
            # secret we're using. So the MITM can circumvent the CSRF
            # protection. This is true for any HTTP connection, but anyone
            # using HTTPS expects better! For this reason, for
            # https://example.com/ we need additional protection that treats
            # http://example.com/ as completely untrusted. Under HTTPS,
            # Barth et al. found that the Referer header is missing for
            # same-domain requests in only about 0.2% of cases or less, so we can use strict Referer checking.

so, in that case, does it means adding meta in HTML is compulsory to feed xyz-origin in HTTP-referer? If yes, Does it cause any security vulnerabilities for Man-In-The-Middle attack as attacker may have http-referer also?

I'm poor in networking concept so please correct me if something is missing or wrong from my side.

Deepak-MSFT

The meta referrer tag works with most browsers to pass referrer information in a manner defined by the user. Traffic remains encrypted and all the benefits of using HTTPS remain in place, but now you can pass referrer data to all websites, even those that use HTTP.

Origin When Cross-Origin: Sends the full URL as the referrer when the target has the same scheme, host, and port (i.e. subdomain) regardless if it's HTTP or HTTPS, while sending origin-only referral information to external sites.

So based on that, I think you will not have any security related issues.

References:

(1) The Meta Referrer Tag: An Advancement for SEO and the Internet

(2) SEO for HTTPS Sites: Should You Implement the Meta Referrer Tag?

(3) https://www.w3.org/TR/referrer-policy/

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

Angular : http.get() method in angular will not give updated response for second same request call for API

Paypal IPN protocol: Why is the empty HTTP 200 response not send in the examples?

Empty response on HTTP request with netcat

Response body is empty in http call

How to call multiple method in same HTTP request in MEAN app

Why does @GetMapping method return request param while sending response?

why does it fail to send 'post request' and change to 'get method' in chrome?

Why does Microsoft Edge have a url here

Which HTTP response code to send on unhandled request

Send HTTP Request and properly ignore the Response in Javascript

HTTP server send new request with response

Empty response of an HTTP post request in VBA

expressjs server http request returning empty response

Why can I not send the contents of HTTP request as a response with express.js?

With Angularjs, $http post return response error in Microsoft Edge

HttpURLConnection does not send a request if the response is not read

NodeJS hangs on second request and does not send response

why does this send the same image?

Why call from makefile returns empty result while same call from console does not?

Why does Spring MVC respond with a 404 and report "No mapping found for HTTP request with URI [...] in DispatcherServlet"?

WCF Service Does Not Send HTTP Response, even though method gets invoked

Can the same-origin request policy be disabled in Microsoft Edge?

Trying to get Spring Boot app to send an error response message when request does not have "Content-type" HTTP request header

send http request through GET method

Get all the headers of HTTP response and send it back in next HTTP request

Why do I have to manually escape my quotes in order for http.request. write method to send JSON

response is empty when trying send a request GET with vanilla JS to express

In what cases will HTTP_REFERER be empty

Why does using the default proxy credentials not result in an automatic second http request following a 407 response?

TOP Ranking

  1. 1

    Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

  2. 2

    Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

  3. 3

    pump.io port in URL

  4. 4

    How to import an asset in swift using Bundle.main.path() in a react-native native module

  5. 5

    Failed to listen on localhost:8000 (reason: Cannot assign requested address)

  6. 6

    Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

  7. 7

    Emulator wrong screen resolution in Android Studio 1.3

  8. 8

    3D Touch Peek Swipe Like Mail

  9. 9

    Double spacing in rmarkdown pdf

  10. 10

    Svchost high CPU from Microsoft.BingWeather app errors

  11. 11

    How to how increase/decrease compared to adjacent cell

  12. 12

    Using Response.Redirect with Friendly URLS in ASP.NET

  13. 13

    java.lang.NullPointerException: Cannot read the array length because "<local3>" is null

  14. 14

    BigQuery - concatenate ignoring NULL

  15. 15

    How to fix "pickle_module.load(f, **pickle_load_args) _pickle.UnpicklingError: invalid load key, '<'" using YOLOv3?

  16. 16

    ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

  17. 17

    Can a 32-bit antivirus program protect you from 64-bit threats

  18. 18

    Make a B+ Tree concurrent thread safe

  19. 19

    Bootstrap 5 Static Modal Still Closes when I Click Outside

  20. 20

    Vector input in shiny R and then use it

  21. 21

    Assembly definition can't resolve namespaces from external packages

HotTag

Archive