HTTP Referer

[Alkarex]

• Add an explanation in the documentation
  • Users must not fake their HTTP Referer to use the POST forms of FreshRSS, for security reasons, at least for the time being [Sécurité] Vulnérabilité de type CSRF pour changer le password #554
  • OWASP
  • http://fr.wikipedia.org/wiki/R%C3%A9f%C3%A9rant
  • http://en.wikipedia.org/wiki/HTTP_referer
• Add a test in install.php to warn users who might have altered their HTTP Referer (e.g. [bug] javascript refresh is looping #564)
  • http://en.wikipedia.org/wiki/Referer_spoofing

[Alkarex]

In Mozilla Firefox #564 (comment):

• network.http.sendRefererHeader should be set to its default value (2) or value 1. A value of 0 will fail. (0=don't send any, 1=send only on clicks, 2=send on image requests as well)
  • First, it's not so important: sensitive sites are supposed to use HTTPS which is mostly immune less sensitive to the Referer problem; and most of the inter-domain tracking is done by cookies and/or shared images/scripts which work even when Referer is disabled (and also to some extent when third-party cookies are disabled).
  • If you still really are concerned about HTTP inter-domain tracking, consider instead network.http.referer.XOriginPolicy (0=always send, 1=send iff base domains match, 2=send iff hosts match) and/or network.http.referer.trimmingPolicy (0=full URI, 1=scheme+host+port+path, 2=scheme+host+port).
  • There are also some add-ons for this job.
• Warning: using network.http.referer.spoofSource makes the browser vulnerable to XSRF attacks

[marienfressinaud]

We should also add a note about Docker: exposed port must be the same as the one on which Apache listens in the Docker container.

For instance, my Apache (in a container so) listens on port 80 but exposed port was 8080. So there was a redirection and I wasn't able to change configuration.

[Alkarex]

I do not know if it was your case, but HTTPS Referer is typically not sent between different { domain, port } so you end up with an empty Referer, which could be a sign of an attack.
Otherwise, I currently do not check the port in the Referer, only the domain, so if all pages are served from the same { domain, port} in the case of HTTPS, or same domain in the case of HTTP, there should be no problem.

[marienfressinaud]

It's just I asked a page on port 8080 but final request was on port 80 because the Docker redirection.

[Alkarex]

La conversation pour une meilleure méthode basée sur un token continue dans #570

[Alkarex]

Je copie un commentaire de @marienfressinaud #554 (comment)

il reste les actions comme "marquer comme lu" et "favoris". Si un id n'est pas forcément facile à deviner, il reste la question du bouton "tout marquer comme lu" qui peut être plus problématique pour certains.

[GLLM]

Just to let you know : since the last update I'm getting the HTTP_REFERER issue with a plain Android 4.4.3 (Galaxy S4) + default Chrome browser.

To access my FR, I use http://ip:port/path ... port being an exotic one.

I've been forced to deactivate the safe authentication, otherwise I cannot use it from my smartphone :(

A+
GLLM

[Alkarex]

@GLLM Is it at the form login that it fails?

[GLLM]

Yes, when trying to log in .. I never managed to get past the login screen.

[Alkarex]

Any chance that you could find out what value is sent in HTTP_REFERER in your case, for instance using a script with phpinfo (see below) with a link from another page?

<?php
phpinfo();

[GLLM]

If I create a standalone php page with the above code, open it on my smartphone, would it be ok ?

[GLLM]

Just did the test :
the value sent is : http://my.own.home.ip:port/

[Alkarex]

Could you please try to make a link from another page, like:

<a href="phpinfo.php">Link</a>

[GLLM]

Sorry @Alkarex I realized my mistake and just did the test : result above ;)

[Alkarex]

@GLLM : And what is the value of HTTP_HOST?

$_SERVER['HTTP_REFERER'];
$_SERVER['HTTP_HOST'];

[GLLM]

$_SERVER['HTTP_REFERER'] == http://my.own.home.ip:port/
$_SERVER['HTTP_HOST'] == my.own.home.ip:port

[Alkarex]

Ok, I see the problem. I will prepare a patch.

[GLLM]

U rock !
Merci
GLLM

[Alkarex]

@GLLM Please try the lastest /dev or with the patch a126d99

[GLLM]

Hello,

I manually edited the files ... works fine :)

Many thanks,
GLLM

[marienfressinaud]

Test of HTTP REFERER for installation has been implemented in 75bf305 and fc7d2a0

[alemairebe]

Hello,
I've just had an error with the http referer ;
I'm using a proxy in front of my webserver which is doing ssl offloading.
resulting a bad http_referer.
according to the code the proto scheme is only check if _SERVER[HTTPS] is on, but it sould also check those 2 :
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
Best regards,
Adrien

[Alkarex]

@alemairebe I have removed the check for scheme in the referer, while waiting for a better solution. Furthermore, I am not sure of the added security value of checking the scheme. ba7d63e
If possible, I would better like to find a cleaner solution than checking non-standard headers such as Front-End-Https.

[alemairebe]

ok, thanks for reacting so quickly

[Alkarex]

@marienfressinaud We may have to introduce a constant to override the guessing of the public URL based on $_SERVER['HTTP_HOST'], for the case of a proxy changing the scheme, and/or the host, and/or the port. But let's wait if anybody asks for it.

[Alkarex]

<meta name="referrer" content="never" /> is now implemented natively in FreshRSS for anonymising outgoing links #1210 and HTTP Referer checks are now accepting an empty string
Tests welcome of the /dev branch