HTTP Referer

[Alkarex]

• Add an explanation in the documentation
  • Users must not fake their HTTP Referer to use the POST forms of FreshRSS, for security reasons, at least for the time being [Sécurité] Vulnérabilité de type CSRF pour changer le password #554
  • OWASP
  • http://fr.wikipedia.org/wiki/R%C3%A9f%C3%A9rant
  • http://en.wikipedia.org/wiki/HTTP_referer
• Add a test in install.php to warn users who might have altered their HTTP Referer (e.g. [bug] javascript refresh is looping #564)
  • http://en.wikipedia.org/wiki/Referer_spoofing

[Alkarex]

In Mozilla Firefox #564 (comment):

• network.http.sendRefererHeader should be set to its default value (2) or value 1. A value of 0 will fail. (0=don't send any, 1=send only on clicks, 2=send on image requests as well)
  • First, it's not so important: sensitive sites are supposed to use HTTPS which is mostly immune less sensitive to the Referer problem; and most of the inter-domain tracking is done by cookies and/or shared images/scripts which work even when Referer is disabled (and also to some extent when third-party cookies are disabled).
  • If you still really are concerned about HTTP inter-domain tracking, consider instead network.http.referer.XOriginPolicy (0=always send, 1=send iff base domains match, 2=send iff hosts match) and/or network.http.referer.trimmingPolicy (0=full URI, 1=scheme+host+port+path, 2=scheme+host+port).
  • There are also some add-ons for this job.
• Warning: using network.http.referer.spoofSource makes the browser vulnerable to XSRF attacks

[marienfressinaud]

We should also add a note about Docker: exposed port must be the same as the one on which Apache listens in the Docker container.

For instance, my Apache (in a container so) listens on port 80 but exposed port was 8080. So there was a redirection and I wasn't able to change configuration.

[Alkarex]

I do not know if it was your case, but HTTPS Referer is typically not sent between different { domain, port } so you end up with an empty Referer, which could be a sign of an attack.
Otherwise, I currently do not check the port in the Referer, only the domain, so if all pages are served from the same { domain, port} in the case of HTTPS, or same domain in the case of HTTP, there should be no problem.

[marienfressinaud]

It's just I asked a page on port 8080 but final request was on port 80 because the Docker redirection.

[Alkarex]

La conversation pour une meilleure méthode basée sur un token continue dans #570

[Alkarex]

Je copie un commentaire de @marienfressinaud #554 (comment)

il reste les actions comme "marquer comme lu" et "favoris". Si un id n'est pas forcément facile à deviner, il reste la question du bouton "tout marquer comme lu" qui peut être plus problématique pour certains.

[GLLM]

Just to let you know : since the last update I'm getting the HTTP_REFERER issue with a plain Android 4.4.3 (Galaxy S4) + default Chrome browser.

To access my FR, I use http://ip:port/path ... port being an exotic one.

I've been forced to deactivate the safe authentication, otherwise I cannot use it from my smartphone :(

A+
GLLM

[Alkarex]

@GLLM Is it at the form login that it fails?

[GLLM]

Yes, when trying to log in .. I never managed to get past the login screen.

[Alkarex]

Any chance that you could find out what value is sent in HTTP_REFERER in your case, for instance using a script with phpinfo (see below) with a link from another page?

<?php
phpinfo();