发表新帖
发表新帖

Referer missing in HTTP header of Selenium request

后端 未结
关注
1 1723
鱼传尺愫
鱼传尺愫 2020-12-20 12:58

I\'m writing some tests with Selenium and noticed, that Referer is missing from the headers. I wrote the following minimal example to test this with https://htt

相关标签:
1条回答
  • 遥遥无期
    2020-12-20 13:44

    Referer as per the MDN documentation

    The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, for example.

    Important: Although this header has many innocent uses it can have undesirable consequences for user security and privacy.

    Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

    However:

    A Referer header is not sent by browsers if:

    • The referring resource is a local "file" or "data" URI.
    • An unsecured HTTP request is used and the referring page was received with a secure protocol (HTTPS).

    Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

    Privacy and security concerns

    There are some privacy and security risks associated with the Referer HTTP header:

    The Referer header contains the address of the previous web page from which a link to the currently requested page was followed, which can be further used for analytics, logging, or optimized caching.

    Source: https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns#The_referrer_problem

    Addressing the security concerns

    From the Referer header perspective majority of security risks can be mitigated following the steps:

    • Referrer-Policy: Using the Referrer-Policy header on your server to control what information is sent through the Referer header. Again, a directive of no-referrer would omit the Referer header entirely.
    • The referrerpolicy attribute on HTML elements that are in danger of leaking such information (such as <img> and <a>). This can for example be set to no-referrer to stop the Referer header being sent altogether.
    • The rel attribute set to noreferrer on HTML elements that are in danger of leaking such information (such as <img> and <a>).
    • The Exit Page Redirect technique: This is the only method that should work at the moment without flaw is to have an exit page that you don’t mind having inside of the referer header. Many websites implement this method, including Google and Facebook. Instead of having the referrer data show private information, it only shows the website that the user came from, if implemented correctly. Instead of the referrer data appearing as http://example.com/user/foobar the new referrer data will appear as http://example.com/exit?url=http%3A%2F%2Fexample.com. The way the method works is by having all external links on your website go to a intermediary page that then redirects to the final page. Below we have a link to the website example.com and we URL encode the full URL and add it to the url parameter of our exit page.

    Sources:

    • https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns#How_can_we_fix_this
    • https://geekthis.net/post/hide-http-referer-headers/#exit-page-redirect

    This usecase

    I have executed your code through both through GeckoDriver/Firefox and ChromeDriver/Chrome combination:

    Code Block:

    driver.get('http://www.python.org')
assert 'Python' in driver.title

url = 'https://httpbin.org/headers'
driver.execute_script('window.location.href = "{}";'.format(url))
WebDriverWait(driver, 10).until(lambda driver: driver.current_url == url)
print(driver.page_source)

    Observation:

    • Using GeckoDriver/Firefox Referer: "https://www.python.org/" header was missing as follows:

          {
      "headers": {
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 
        "Accept-Encoding": "gzip, deflate, br", 
        "Accept-Language": "en-US,en;q=0.5", 
        "Host": "httpbin.org", 
        "Upgrade-Insecure-Requests": "1", 
        "User-Agent": "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"
      }
    }

    • Using ChromeDriver/Chrome Referer: "https://www.python.org/" header was present as follows:

          {
      "headers": {
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", 
        "Accept-Encoding": "gzip, deflate, br", 
        "Accept-Language": "en-US,en;q=0.9", 
        "Host": "httpbin.org", 
        "Referer": "https://www.python.org/", 
        "Upgrade-Insecure-Requests": "1", 
        "User-Agent": "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36"
      }
    }

    Conclusion:

    It seems to be an issue with GeckoDriver/Firefox in handling the Referer header.

    Outro

    Referrer Policy

    0 讨论(0)
 看不清?
提交回复
热议问题