zerosleeps

Hey look! That’s my bug!

The piece of software I’ve built my career around defaults to checking the HTTP Referer header with each request, and if it doesn’t get exactly the value it wants, it invalidates the session. Game over.

It’s infuriating: the header is optional and was never intended to be used for anything remotely related to session security. And yet, back when I logged this bug, I had to really fight with the software vendor to get them to disable this check. We found that a lot of mobile browsers don’t include the Referer header when reloading a page, and services like Microsoft’s Defender SmartScreen and Google’s Safe Browsing don’t include the header at all when doing their remote scans. Ad blockers often strip the header, privacy-conscious users might disable this header, browser plugins that intercept file downloads - like Abode PDF plugins - don’t include the header. Heck even duplicating browser tabs and opening browser developer tools was enough to trigger an abrupt logout.

It affected a lot of our customers - they simply couldn’t use our service. But the vendor stood firm on their belief that this behaviour enhanced the security of their product, and didn’t seem concerned that it meant hundreds of our customers couldn’t even use the product. We were never able to come up with an explanation we could give our customers that didn’t make us sound like idiots either.

Anyway, that’s the story behind the reason for me logging that Firefox bug.