Why did browser authors not make 127.0.0.1/localhost-hosted webpages skip the referrer?

For a long time, I was so convinced that 127.0.0.1/localhost-hosted webpages, that is, with URLs such as:

http://127.0.0.1/MySecretControlPanel/sensitive.php?stuff=goes&here=dude

… did not send the “HTTP referrer” header when you … Continue reading Why did browser authors not make 127.0.0.1/localhost-hosted webpages skip the referrer?

Retrieving CSRF token from third party website form using XHR (JavaScript)

I know they say CSRF tokens are the most secure way to prevent CSRF attacks but what if someone uses XHR to retrieve the page containing the csrf token along with the form and then use that token for his attacks?

Why they don’t say “Refer… Continue reading Retrieving CSRF token from third party website form using XHR (JavaScript)

If an application has an XSS vulnerabilty, can we bypass CSRF with referer header?

Let’s say there is an XSS vulnerability in an application, and the application is not using any kind of CSRF token, just using the referer header to protect against CSRF. Referer header is validating properly. So in this case can we bypass… Continue reading If an application has an XSS vulnerabilty, can we bypass CSRF with referer header?

Is it a good idea from a security standpoint to disable Referer headers in the browser? What discomforts will you have to deal with?

So what kind of discomfort will you have to deal with?

Will it break websites?

Or is it just a win for privacy?

You can disable the Referer headers in Firefox like this:

Open Firefox and type “about:config” in the add… Continue reading Is it a good idea from a security standpoint to disable Referer headers in the browser? What discomforts will you have to deal with?